KeyPass ransomware comes with unique ‘manual control’ functionality

• The ransomware strain features a "manual control" functionality that allows the attacker to customize various parameters of the encryption process.
• KeyPass is currently being spread via fake installers that download the ransomware module.

Security researchers have spotted a new strain of ransomware named KeyPass in the wild that comes with a “manual control” functionality, giving its authors especial control in attacks. MalwareHunterTeam noted a significant uptick in activity involving this variant since August 8 with submissions to ID Ransomware from over 20 countries.

According to Kaspersky Lab researchers, KeyPass is currently being spread via fake installers that download the ransomware module.

The malware itself is written in C++ and compiled in MS Visual Studio.

Modus Operandi

Once executed, the Trojan copies its executable to %LocalAppData% before launching. It also deletes itself from the original location.

“Following that, it spawns several copies of its own process, passing the encryption key and victim ID as command line arguments,” Kaspersky Lab researchers wrote. “KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. It skips files located in a number of directories, the paths to which are hardcoded into the sample.”

Following its encryption routine, it appends the extension “.KEYPASS” to the filename of every encrypted file and saves ransom notes named “!!!KEYPASS_DECRYPTION_INFO!!!.txt” in every processed directory.

It also connects to its command and control (C2) server and receives the encryption key and infection ID for the victim. If the C&C happens to be inaccessible, KeyPass uses a hardcoded key and ID.

“The developers of this Trojan implemented a very simplistic scheme,” Kaspersky Lab researchers said. “The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files."

'Manual control' for customized attacks

“From our point of view, the most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’," researchers wrote. "The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This capability might be an indication that the criminals behind the Trojan intend to use it in manual attacks.”

This hidden form allows the attacker to further customize the encryption process by changing various parameters such as encryption key, name and text of the ransom note, victim ID, extension of the encrypted files and list of paths to be excluded from encryption.

According to Kaspersky, the most targeted regions by KeyPass include developing countries such as Brazil and Vietnam followed by Indonesia, Algeria and India among others.