KeyPass ransomware attack on the rise

K V Kurmanath Hyderabad | Updated on August 16, 2018 Published on August 16, 2018

India among the top 3 victims after Brazil, Vietnam

Like viruses that pose health problems, malware too mutates, becoming more lethal and causing more damage. A variant of KeyPass trojan, which has the knack of taking manual control of an infected computer, has become virulent in the last few days, particularly targeting developing countries. India is among the top five victim countries, according to security experts.

Brazil emerged the top victim with 19.51 per cent of all infections happening in the South American country. It was followed by Vietnam with 14.63 per cent and India with 5-7 per cent of infections.

After the infection is complete, all files in the system are encrypted with an additional extension ‘.KEYPASS’ in the file name.

A trojan is a malware that camouflages as legitimate software, enticing computer users to download it and giving hackers a back-door entry. Making infected computers their slaves, hackers manipulate data to cause harm to users by deleting or taking control of the data.

“Soon after launching an attack on a computing device, KeyPass connects to its command and control server and receives the encryption key and the infection ID for the current victim,” Orkhan Mamedov, a cyber security expert with the Moscow-based Internet security solutions company Kaspersky, said.

Ransom alert

The virus adds a ransom note named KEYPASS_DECRYPTION_INFO!!!.txt, which is saved in each processed directory. A typical ransom text would appear as: Attention! All your files, documents, photos, databases and other important files are encrypted and all have the extensions – KeyPass.

The note demands ransom money, saying the users must purchase a software that can decrypt the system. Mamedov, along with his colleague, Fedor Sinitsyn, analysed the spread of the KeyPass variant this month.

“The most interesting feature of the KeyPass trojan is its ability to take ‘manual control’. The trojan contains a form that is hidden by default, but which can be shown on pressing a special button on the keyboard,” he said.

“The manual control capability might be an indication that the criminals behind the trojan intended to use it in manual attacks. This form allows the attacker to customise the encryption process by changing parameters such as encryption key, name and text of the ransom note and extension of the encrypted files,” he said.

They said their peers in the security community have also noticed that this ransomware began to spread actively in August. The malware is propagated through fake installers that download the ransomware module into the systems.

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

Published on August 16, 2018
This article is closed for comments.
Please Email the Editor