{ "id": "b76dc608-14b7-483c-b49e-42fd51bcb107", "created_at": "2026-04-06T00:16:57.553694Z", "updated_at": "2026-04-10T03:20:17.161129Z", "deleted_at": null, "sha1_hash": "e2e3ddee7fa47fb6a52d47353045d1b935a3f91d", "title": "KeyPass ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 394157, "plain_text": "KeyPass ransomware\r\nBy Orkhan Mamedov\r\nPublished: 2018-08-13 · Archived: 2026-04-05 22:02:40 UTC\r\nIn the last few days, our anti-ransomware module has been detecting a new variant of malware – KeyPass\r\nransomware. Others in the security community have also noticed that this ransomware began to actively spread in\r\nAugust:\r\nNotification from MalwareHunterTeam\r\nDistribution model\r\nAccording to our information, the malware is propagated by means of fake installers that download the\r\nransomware module.\r\nDescription\r\nThe Trojan sample is written in C++ and compiled in MS Visual Studio. It was developed using the libraries MFC,\r\nBoost and Crypto++. The PE header contains a recent compilation date.\r\nhttps://securelist.com/keypass-ransomware/87412/\r\nPage 1 of 8\n\nPE header with compilation date\r\nWhen started on the victim’s computer, the Trojan copies its executable to %LocalAppData% and launches it. It\r\nthen deletes itself from the original location.\r\nFollowing that, it spawns several copies of its own process, passing the encryption key and victim ID as command\r\nline arguments.\r\nCommand line arguments\r\nKeyPass enumerates local drives and network shares accessible from the infected machine and searches for all\r\nfiles, regardless of their extension. It skips files located in a number of directories, the paths to which are\r\nhardcoded into the sample.\r\nhttps://securelist.com/keypass-ransomware/87412/\r\nPage 2 of 8\n\nThe list of excluded paths\r\nEvery encrypted file gets an additional extension: “.KEYPASS” and ransom notes named\r\n“”!!!KEYPASS_DECRYPTION_INFO!!!.txt”” are saved in each processed directory.\r\nhttps://securelist.com/keypass-ransomware/87412/\r\nPage 3 of 8\n\nThe ransom note\r\nEncryption scheme\r\nThe developers of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm\r\nAES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of\r\n0x500000 bytes (~5 MB) of data at the beginning of each file.\r\nhttps://securelist.com/keypass-ransomware/87412/\r\nPage 4 of 8\n\nPart of the procedure that implements data encryption\r\nSoon after launch, KeyPass connects to its command and control (C\u0026C) server and receives the encryption key\r\nand the infection ID for the current victim. The data is transferred over plain HTTP in the form of JSON.\r\nhttps://securelist.com/keypass-ransomware/87412/\r\nPage 5 of 8\n\nIf the C\u0026C is inaccessible (e.g. if the infected machine is not connected to the internet or the server is down), the\r\nTrojan uses a hardcoded key and ID, which means that in the case of offline encryption the decryption of the\r\nvictim’s files will be trivial.\r\nGUI\r\nFrom our point of view, the most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’.\r\nThe Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the\r\nkeyboard. This capability might be an indication that the criminals behind the Trojan intend to use it in manual\r\nattacks.\r\nGUI of the trojan\r\nThis form allows the attacker to customize the encryption process by changing such parameters as:\r\nencryption key\r\nname of ransom note\r\ntext of ransom note\r\nvictim ID\r\nextension of the encrypted files\r\nlist of paths to be excluded from the encryption\r\nhttps://securelist.com/keypass-ransomware/87412/\r\nPage 6 of 8\n\nPaths excluded from encryption by default\r\nPseudocode of the procedure that shows the GUI by a keypress\r\nGeography\r\nhttps://securelist.com/keypass-ransomware/87412/\r\nPage 7 of 8\n\nIOC\r\n901d893f665c6f9741aa940e5f275952 – Trojan-Ransom.Win32.Encoder.n\r\nhxxp://cosonar.mcdir.ru/get.php\r\nSource: https://securelist.com/keypass-ransomware/87412/\r\nhttps://securelist.com/keypass-ransomware/87412/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/keypass-ransomware/87412/" ], "report_names": [ "87412" ], "threat_actors": [], "ts_created_at": 1775434617, "ts_updated_at": 1775791217, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e2e3ddee7fa47fb6a52d47353045d1b935a3f91d.pdf", "text": "https://archive.orkl.eu/e2e3ddee7fa47fb6a52d47353045d1b935a3f91d.txt", "img": "https://archive.orkl.eu/e2e3ddee7fa47fb6a52d47353045d1b935a3f91d.jpg" } }