# KeyPass ransomware **securelist.com/keypass-ransomware/87412/** [Incidents](https://securelist.com/category/incidents/) [Incidents](https://securelist.com/category/incidents/) 13 Aug 2018 minute read ----- Authors [Orkhan Mamedov](https://securelist.com/author/orkhanmamedov/) Fedor Sinitsyn In the last few days, [our anti-ransomware module has been detecting a new variant of](https://www.kaspersky.com/enterprise-security/wiki-section/products/ransomware-protection) malware – KeyPass ransomware. Others in the security community have also noticed that this ransomware began to actively spread in August: _Notification from MalwareHunterTeam_ ## Distribution model According to our information, the malware is propagated by means of fake installers that download the ransomware module. ## Description The Trojan sample is written in C++ and compiled in MS Visual Studio. It was developed using the libraries MFC, Boost and Crypto++. The PE header contains a recent compilation date. ----- _PE header with compilation date_ When started on the victim’s computer, the Trojan copies its executable to %LocalAppData% and launches it. It then deletes itself from the original location. Following that, it spawns several copies of its own process, passing the encryption key and victim ID as command line arguments. _Command line arguments_ KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. It skips files located in a number of directories, the paths to which are hardcoded into the sample. ----- _The list of excluded paths_ Every encrypted file gets an additional extension: “.KEYPASS” and ransom notes named “”!!!KEYPASS_DECRYPTION_INFO!!!.txt”” are saved in each processed directory. ----- _The ransom note_ ## Encryption scheme The developers of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the beginning of each file. ----- _Part of the procedure that implements data encryption_ Soon after launch, KeyPass connects to its command and control (C&C) server and receives the encryption key and the infection ID for the current victim. The data is transferred over plain HTTP in the form of JSON. ----- If the C&C is inaccessible (e.g. if the infected machine is not connected to the internet or the server is down), the Trojan uses a hardcoded key and ID, which means that in the case of offline encryption the decryption of the victim’s files will be trivial. ## GUI From our point of view, the most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This capability might be an indication that the criminals behind the Trojan intend to use it in manual attacks. ----- _GUI of the trojan_ This form allows the attacker to customize the encryption process by changing such parameters as: encryption key name of ransom note text of ransom note victim ID extension of the encrypted files list of paths to be excluded from the encryption ----- _Paths excluded from encryption by default_ _Pseudocode of the procedure that shows the GUI by a keypress_ ## Geography ----- ## IOC 901d893f665c6f9741aa940e5f275952 – Trojan-Ransom.Win32.Encoder.n hxxp://cosonar.mcdir.ru/get.php [Encryption](https://securelist.com/tag/encryption/) [Malware Descriptions](https://securelist.com/tag/malware-descriptions/) [Ransomware](https://securelist.com/tag/ransomware/) Authors [Orkhan Mamedov](https://securelist.com/author/orkhanmamedov/) Fedor Sinitsyn KeyPass ransomware Your email address will not be published. Required fields are marked * GReAT webinars ----- 13 May 2021, 1:00pm ### GReAT Ideas. Balalaika Edition 26 Feb 2021, 12:00pm 17 Jun 2020, 1:00pm 26 Aug 2020, 2:00pm 22 Jul 2020, 2:00pm From the same authors ### Evolution of JSWorm ransomware ----- ### RansomEXX Trojan attacks Linux systems Life of Maze ransomware ----- ### WastedLocker: technical analysis Sodin ransomware exploits Windows vulnerability and processor architecture Subscribe to our weekly e-mails The hottest research right in your inbox ----- Reports ### APT trends report Q1 2022 This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022. ### Lazarus Trojanized DeFi app for delivering malware We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor. ### MoonBounce: the dark side of UEFI firmware ----- At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41. ### The BlueNoroff cryptocurrency hunt is still on It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group’s illegal income. Subscribe to our weekly e-mails The hottest research right in your inbox ----- -----