A new variant of KeyPass with a manual function noted in more than 20 countries
Security researchers at Kaspersky Labs posted a report about a new variant of KeyPass ransomware that has been making rounds around the world since 8th of August. The malware has gained a new feature that allows attackers to modify the malicious code remotely, letting them alter the encryption procedure.
Security experts noted that the virus already infected more than 100 victims, most of them being from developing countries. The most affected were victims from Brazil (19.5% occurrences) and Vietnam (14.6%). Among the victims were people from Algeria, India, Iran, along with few infections in France and Germany.
There is not much known about how the KeyPass ransomware is distributed yet, although some users mentioned that they tried to download the cracking program KMSpico. Other victims claimed that they did not install anything on their machines before the malware attack.
The way KeyPass trojan operates
KeyPass virus is a variant of STOP ransomware which originated back in February 2017. As soon as the malware enters the targeted machine, it copies its executable into %LocalAppData% folder and deletes itself after the infection process is complete. However, before the removal, malware copies its own process into several different locations on the device. Soon after that, the ransomware looks scans the device for files to encrypt, as described by researchers:
KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. It skips files located in a number of directories, the paths to which are hardcoded into the sample.
The virus then attempts to connect to Command & Control Server to deliver personal ID and encryption key, which can be used to recover all data.
KeyPass then uses AES-256 cipher to encrypt files and adds .KEYPASS extension, rendering personal data unusable. Additionally, it drops a ransom note !!!KEYPASS_DECRYPTION_INFO!!!.txt that is placed in each of the affected folders. Hackers demand $300 in BTC for file release and hint that it will increase if the payment is not processed within 72 hours.
In case the internet connection is not established on the infected PC or Command & Control Server is not accessible, the malware will encode data using a hardcoded and ID, allowing to get data back relatively easily.
Manual control feature allows hackers to prepare targeted and more dangerous attacks
KeyPass trojan contains a form that is cleverly hidden by default. However, the form can be accessed by pressing a specific button on a keyboard. Kaspersky specialists claim that this feature would allow hackers to gain manual control over the malicious program.
While the hidden feature might not mean much to victims, hackers can make use of it to manually change parameters of malware, including:
- Victim ID;
- File extension;
- Name of the ransom note;
- Context of ransom note;
- Encryption key, etc.
This means that the size of ransom could be changed as well.
Ransomware is one of the dangerous types of malware and has been prevalent since 2013 with CryptoLocker release. Botnets were established which made the proliferation of malware much easier. Some viruses resorted in locking users' screens by displaying fake message from the alleged FBI or the police, while threats like WannaCry and Petya destroyed operation of several high profile organizations and governmental institutions for several days. Companies suffered millions of dollars in damages as well.
Thus, ransomware still is one of the biggest cyber threats around, and users should take essential security steps to avoid the attacks.