In the last few days, our anti-ransomware module has been detecting a new variant of ransomware. Others in the community have also noticed that this ransomware began to actively spread in August:

- 180813 keypass 1 - KeyPass ransomware – Securelist

Notification from MalwareHunterTeam


According to our information, the malware is propagated by of installers that download the ransomware module.


The Trojan sample is written in C++ and compiled in MS Visual Studio. It was developed using the libraries MFC, Boost and Crypto++. The PE header contains a recent compilation date.

- 180813 keypass 2 - KeyPass ransomware – Securelist

PE header with compilation date

When started on the victim’s computer, the Trojan copies its executable to %LocalAppData% and launches it. It then deletes itself from the original location.

Following that, it spawns several copies of its own process, passing the encryption key and victim ID as command line arguments.

- 180813 keypass 3 - KeyPass ransomware – Securelist

Command line arguments

KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. It skips files located in a number of directories, the paths to which are hardcoded into the sample.

- 180813 keypass 4 - KeyPass ransomware – Securelist

The list of excluded paths

Every encrypted file gets an additional extension: “.KEYPASS” and ransom notes named “”!!!KEYPASS_DECRYPTION_INFO!!!.txt”” are saved in each processed directory.

- 180813 keypass 5 - KeyPass ransomware – Securelist

The ransom note

Encryption scheme

The developers of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of at the beginning of each file.

- 180813 keypass 6 - KeyPass ransomware – Securelist

Part of the procedure that implements data encryption

Soon after launch, KeyPass connects to its command and control (C&C) server and receives the encryption key and the infection ID for the current victim. The data is transferred over plain HTTP in the form of JSON.

- 180813 keypass 7 - KeyPass ransomware – Securelist

If the C&C is inaccessible (e.g. if the infected machine is not connected to the internet or the server is down), the Trojan uses a hardcoded key and ID, which means that in the case of offline encryption the decryption of the victim’s files will be trivial.


From our point of view, the most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This capability might be an indication that the criminals behind the Trojan intend to use it in manual attacks.

- 180813 keypass 8 - KeyPass ransomware – Securelist

GUI of the trojan

This form allows the attacker to customize the encryption process by changing such parameters as:

  • encryption key
  • name of ransom note
  • text of ransom note
  • victim ID
  • extension of the encrypted files
  • list of paths to be excluded from the encryption
- 180813 keypass 9 - KeyPass ransomware – Securelist

Paths excluded from encryption by default

- 180813 keypass 10 - KeyPass ransomware – Securelist

Pseudocode of the procedure that shows the GUI by a keypress


- 180813 keypass 12 - KeyPass ransomware – Securelist


901d893f665c6f9741aa940e5f275952 – Trojan-Ransom.Win32.Encoder.n

Source link


Please enter your comment!
Please enter your name here