New ransomware arrives with a hidden feature that hints at more sophisticated attacks to come

New form of file-locking ransomware has a 'manual' option for more sophisticated attacks.
Written by Danny Palmer, Senior Writer

A new form of ransomware is spreading to victims around the world and the way it's built suggests those behind it could use it to launch more sophisticated attacks in future.

KeyPass ransomware first appeared on 8 August and so far has spread to hundreds of victims in more than 20 countries around the world via fake software installers which download the ransomware onto the victim's PC.

Brazil and Vietnam account for the highest percentage of Keypass infections, but victims are reported across the world in regions including South America, Africa, Europe, the Middle East and Asia.

Researchers at Kaspersky Lab have examined KeyPass and found that while it's relatively simple, it comes with the additional option for the attackers to take manual control of an infected system, potentially pointing towards the ability to launch more sophisticated attacks on infected networks.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

The KeyPass interface contains a module which allows attackers to customise the encryption process by changing parameters including the encryption key, the text of the ransom note, the extension of the encrypted files and more.

Those who fall victim to KeyPass are met with a ransom note which details how "All your files, documents, photos, databases and other important files are encrypted and have the extension .KEYPASS".

It goes on to add how the only method of recovering files is to buy "decrypt software" from the attackers for $300 -- a price which it's suggested goes up if contact isn't made within three days of infection.

The ransom note doesn't contain any indication as to what method of payment is required -- ransomware distributors usually want cryptocurrency like Bitcoin -- and victims are urged to contact the attackers using an email address registered to Switzerland or a backup address in India.


The KeyPass ransomware note demands $300.

Image: Kaspersky Lab

However, the identity of the attackers is still unknown as users could register for those addresses from anywhere in the world -- and the indiscriminate nature of the attacks don't appear to cast light on where the perpetrators could be working from.

As there's currently no means of decrypting files locked by KeyPass for free, the best means of protecting against it is to not fall victim to it in the first place -- in this case by being careful about software downloads and ensuring that they're from an existing source.

Organisations should also ensure that systems are regularly backed up, so that if they do fall victim to ransomware, they can restore the network from backup without the need to give into the ransom demand.

The authorities and researchers tell users to never pay cyber criminals for ransomware decryption keys, but many ignore this warning as they just want to ensure their systems are back up and running as soon as possible.

However, the very nature of cyber criminals means that even if a ransom is paid, some will take the money and run, leaving victims with locked systems -- and out of pocket.


Editorial standards