New KeyPass Ransomware Campaign Infects Users in More than 20 Countries

A new ransomware variant – called KeyPass ransomware – is being used in a new campaign that has seen many victims created around the world. While Brazil and Vietnam have taken the brunt of the attacks, there have been victims in more than 20 countries with the list growing by the day. KeyPass ransomware is written in C++ and is a variant of STOP ransomware.

At present it is not known how the KeyPass ransomware attacks are taking place. Some security researchers suggest the ransomware is being bundled with fake software installers and fake versions of the KMSpico cracking tool, although that does not appear to be the case with all infections. Other methods of distribution are therefore suspected including RDP attacks, drive-by-downloads, and spam email.

Once downloaded, the payload is copied to the %LocalAppData% folder and the original file is deleted. In contrast to many ransomware variants, KeyPass ransomware enumerates all local drives and network shares and searches for all files on the infected device, only skipping certain file directories which are hardcoded in the ransomware. Once encrypted, the files are given the KEYPASS file extension.

Researchers at Kaspersky Lab have analyzed the ransomware and report that it uses “AES-256 in CFB mode with zero IV and the same 32-byte key for all files,” with a maximum of 0x500000 bytes of data encrypted from the beginning of each file. Communication between KeyPass ransomware and its C2 server is in JSON via plain HTTP. Encryption is still possible even if the C2 server cannot be contacted. In such cases, a hardcoded key and ID is used.

The authors demand a ransom of $300 to supply the key to unlock the encrypted files. Contact must be made within 72 hours of infection to guarantee that price. The attackers offer to decrypt 1-3 small files free of charge as a demonstration that they have the ability to unlock the encryption.

Kaspersky Lab researchers note that the developers of KeyPass ransomware have included the functionality to take manual control and customize the encryption process. This suggests the ransomware may be used in attacks once access to a computer has been gained. This would allow the attackers, among other things, to change the ransom amount.

There is no free decryptor. Recovery without paying the ransom is only possible by restoring encrypted files from backups.

Protecting against attacks requires standard best practices to be adopted including setting strong, unique passwords for RDP, making sure RDP cannot be accessed via the internet, and using rate limiting to prevent brute force attacks. Caution should be exercised when opening emails, an effective spam and web filtering solution should be deployed, and a powerful antivirus solution should be in place. Naturally, regular backups should be performed with at least one copy stored on an air-gapped device.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of