Remove KEYPASS ransomware (Removal Guide) - updated Aug 2018

removal by Gabriel E. Hall - - | Type: Ransomware

KEYPASS virus Removal Guide

What is KEYPASS ransomware?

KEYPASS ransomware – a dangerous cryptovirus that infiltrates systems via fake software installers

Keypass ransomware virusThis sneaky cryptovirus that enters the system without any notice

KEYPASS ransomware is a dangerous cryptovirus that belongs to the same family as STOP ransomware. Once installed, it makes changes to the Windows Registry to gain boot persistence. That makes its removal a bit more difficult but possible with proper anti-malware software.

The malware uses AES-256 cipher to encrypt files and adds a .keypass extension. Additionally, the virus connects to its C&C servers to receive the encryption key and make user's files useless without it. Victims are informed about this attack via the !!!KEYPASS_DECRYPTION_INFO!!!.txt ransom note that requires a $300 ransom in Bitcoin in exchange for the decryptor for the locked data.

The victim receives 72 hours to pay this fee. For that, users need to contact the cybercriminals using a provided email address ( Note that this cryptovirus has nothing to do with the well-known KeePass password management software.

TYPE Ransomware, file-locker
APPENDIX .keypass file extension
Ransom amount $300 in Bitcoin has to be paid in 72 hours
other features Manual control. Used to customize the ransom note and change the ransom amount, email address, victim ID, etc.
Contact email
DISTRIBUTION WAYS Spam emails, questionable sources, file-sharing platforms
ELIMINATION Remove any computer virus by performing a full system scan with a trustworthy anti-malware tool
System fix Revert any changes this infection has made to the Registry and other core system settings and files by using the time-proven ReimageIntego system repair tool

KeyPass ransomware was first discovered by Kaspersky Lab experts on the 8th of August,[1] and infection submissions came from over 20 countries across the globe, with Brazil and Vietnam being hit the most. As of now, security experts are not sure about how the virus spreads, but several users reported that it appeared after they installed the Windows hacking tool KMSpico. In contrast, others stated that no changes were made before the infection occurred.

This file-locking parasite comes with a hidden feature called “Manual control”. It can only be activated by using a specific key combination that allows hackers to take manual control[2] of the virus. This allows them to modify the victim's ID, file extension, encryption key, and several other preferences related to the file encryption process.

Security experts also noticed that in the Command & Control server is not reachable or the infected device is not connected to the internet, the malware uses a hard-coded key, which makes the ransomware removal and file retrieval a much easier task.

However, if the computer is connected to the network, the virus does not only encrypts your regular personal files like pictures, databases, documents, and similar but instead skips a few folders on the machine, allowing the system to boot properly. After the encryption process is complete, most of the files receive a .keypass appendix, leaving the device in a complete mess.

Keypass ransomware Ransomware reveals itself by renaming files, blocking access to them, and displaying a ransom message

The ransom note that is retrieved from the C&C server after the file encryption states the following:

All your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.
You need to contact us by e-mail send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $300.
This price avaliable if you contact us first 72 hours.
E-mail address to contact us:
Reserve e-mail address to contact us:
Your personal id: –

While the ransomware virus developers demand a $300 ransom, the payment type is not mentioned. However, hackers usually rely on digital currency (Bitcoin, Monero, Litecoin, etc.) for all the transactions. This way, money transfers remain anonymous and prevent law enforcement from tracking and punishing scammers.

Nevertheless, we do not recommend contacting cyber criminals, as the chance of retrieving the key is quite low. Additionally, it might encourage bad actors to improve the malware code and increase the number of infections. Thus, better take care of KeyPass ransomware by using anti-malware software, such as SpyHunter 5Combo Cleaner or Malwarebytes, and then recover your files from a backup.

Keypass virusRansomware is spreading around the world. Victims were observed in more than 20 countries.

Unfortunately, this malware can also be used as a backdoor for other infections, such as banking trojans and other malware forms[3]. We recommend you not to wait and get rid of the virus as soon as possible, as the infection chance increases the longer you wait.

Remember, your computer and data safety is in your own hands. Better prepare for such attacks in advance – keep important files safe and on a USB stick or an external HDD. If you are already infected with Keypass ransomware and have no backups ready, you could try third-party software that could help you to recover your data. See instructions below.

But before proceeding with file recovery, either from backups or by using recovery software, users should take care of their device's overall health. This ransomware causes havoc on system files, which can lead to various abnormal behavior. Use the ReimageIntego system repair tool to take care of all system inconsistencies automatically.

Keep your PC safe from ransomware by following safety tips

According to specialists[4], ransomware usually has one main distribution source – spam emails. Cybercriminals take action and send numerous phishing messages to accidental users. Once received, such messages can be found in the Spam section (however, phishing emails might slip through the built-in scanners and get into your Inbox instead). If you encounter this type of content – better eliminate it permanently to avoid severe computer infections.

We advise increasing your PC safety by running an antivirus program[5] on your computer. If you do not already have one, you should consider downloading a trustworthy one. Such anti-malware software will keep your machine secured from various infections if kept up-to-date as required.

Keypass ransomware ransom noteThe ransom note details the situation, explaining that users have to contact cybercriminals in order to regain access to their personal files.

Get rid of the dangerous infection with the help of our removal guides

To remove this hazardous virus, you need to run a full system scan with a reliable anti-malware program and get rid of every component of this ransomware. Experts recommend using such tools as SpyHunter 5Combo Cleaner or Malwarebytes. Of course, you can pick another trustworthy anti-virus of your liking, but make sure it is up-to-date.

The elimination might take a while, but it is critical to get rid of the cyber threat as fast as possible to avoid further damage. Afterward, to complete the removal process by restoring your Registry, host files, and other essential system files, it's highly recommended to use the ReimageIntego system repair tool.

Unfortunately, neither the security software nor the repair tools that we recommend recover data encrypted by KEYPASS ransomware. For that, you should follow the tips given below this article. Finally, to protect yourself from ransomware attacks in the future, keep backups of your most valuable files. For that, use cloud services or external drives.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of KEYPASS virus. Follow these steps

Manual removal using Safe Mode

Use Safe Mode with networking to deactivate the virus and run a full system scan. Repeat it when in normal mode:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove KEYPASS using System Restore

Stay safe from the cyber attack by turning on the System Restore feature:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of KEYPASS. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with ReimageIntego and make sure that KEYPASS removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove KEYPASS from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

You might recover your data if you carefully follow the given methods.

If your files are encrypted by KEYPASS, you can use several methods to restore them:

Data Recovery Pro might be helpful:

Such a program might help you get important files that were deleted or corrupted in other ways back.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by KEYPASS ransomware;
  • Restore them.

Try using Windows Previous Versions feature:

However, if you did not turn on the System Restore function before the infection managed to spread, this method might not work.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use Shadow Explorer for data recovery:

This method might work if the virus did not touch Shadow Copies of corrupted documents.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

There is no official decryptor for this ransomware at the moment.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from KEYPASS and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

Removal guides in other languages