KeyPass- The latest Ransomware Scare threatening IT Systems

Is KeyPass another threat to be worried about?

WannaCry, Locky, SamSam and now KeyPass. Did you really think cybercriminals would stop attacking with ransomware software?

Over the last 18 months, there has been a huge influx in the amount of publicity regarding ransomware attacks. Since 2016 we have seen an emergence of over 200 versions of the Ransomware virus.

Ransomware attacks tend to lock users out of their computers and then demand money in order to regain control of their data. For example; When the Wannacry attack first became prominent, criminals were demanding around £230 in order for users to regain control of their data. If no payment was made within three days, the attackers then threatened to double the ransom amount. At this stage, if no payment was made(within the designated time frame), the hackers then threaten to delete the files and give a 7-day ultimatum.

In reality, for most businesses, they would have had no option but to pay. Most security experts recommend not paying the ransom. After all, as the saying goes; ‘I see how determined you are. The answer is still no’

However, what about the personal data that your company has been storing? Does this not open a whole new can of worms with GDPR?


What Does KeyPass Do?

KeyPass is a new ransomware threat that is believed to have affected at a minimum, 20 countries in the last 10 days. The software seems to be spreading at an alarming rate with no sign of slowing down.

KeyPass infiltrates your computers by spreading via a fake software installer. The software attacks a victim’s data with an encrypted ‘.KEYPASS’ extension and ransom notes are then deposited in each directory which is successfully encrypted.

Like its predecessors WannaCry and SamSam, the software demands a large ransom before offering to return the data. Specifically, the ransom note requests $300 before attempting to reassure victims with proof of their decryption ability in advance of any payment. The victim is then encouraged to send the attacker a small sample of one of the encrypted files. Once this is done, the victim will receive an unencrypted version of the file for free.

The method to this madness?

The attackers want the victim to know they are serious about what they have done and that they have actually left infected software on their computer systems. KeyPass attackers are showing that they are not a fake ransomware attack and that they do actually have the capacity to cause such problems.

Sounds to us like the attackers are trying to prove their legitimacy by almost providing a level of customer service to their victims(to a certain extent…)


The technical process:

Our Cyber Protection partner Custodian 360 has written a short technical example of how the KeyPass ransomware software is executed.

The first aspect that the Custodian 360 noticed was that once executed, the software actually deletes itself from the user’s system. The hackers leave little trace of any attack other than an encrypted file, and of course, a ransom note.

There are 3 simple steps which the hackers use to execute their attack:

1. Upon execution, the KeyPass ransomware.exe creates the following file…

/c “C:\Users\admin\AppData\Local\Temp\delself.bat”

2. The previously executed file then deletes both files at the following locations;

\Device\HarddiskVolume2\Users\admin\Desktop\KeyPass ransomware.exe


3. The ransom note appears

keyPass Blog

What’s the solution?

In reality, the solution is simple. Speak to your IT security team and make sure all your systems are protected. Custodian 360 advise that should you encounter any issues at all with the software there is nothing to worry about, that is, if you have their program installed. The virus will be stopped and quarantined before any damage can occur.


Leave a Reply

Your e-mail address will not be published. Required fields are marked *

Stay current with the latest news

Cyber Risks. Business Protection. Secure Customers.

The Knowledge Hive

Sign up below to receive new updates

Back to top