New Ransomware, KeyPass, Locks Systems Globally

A new ransomware method called KeyPass, which first appeared on Aug. 8, has spread to hundreds of victims in more than 20 countries via fake software installers, which download the malware.

Brazil and Vietnam reportedly account for the highest percentage of KeyPass infections, but victims are reported in other regions including South America, Africa, Europe, the Middle East and Asia.

Paul Bischoff, privacy advocate at the U.K.-based Comparitech.com, said, “First off, the KeyPass ransomware should not be confused with KeePass, a legitimate password manager unlucky enough to use a similar name.” Bischoff described KeyPass as any other ransomware that encrypts all the files on a system and demands money in exchange for the decryption key, however, “one big difference is that the Trojan installer packs an additional option for attackers to take manual control of the infected system. Even if the victim pays up to decrypt their data, that remote control malware could still exist on the system and be used to carry out other attacks.”

Pravin Kothari, CEO of the San Jose, Calif.-based CipherCloud, noted, “Ransomware continues to rapidly evolve. Why? Because ransom is the shortest path to getting your cash. The research and development by organized crime and nation states remains well-funded and continues to bring a growing crop of malware tools into use globally.”

Kothari added KeyPass has benefited from this renewed investment in the development of malware tools by bringing new capabilities into the hands of the cyberattackers. “Rather than just the ransom, KeyPass provides a back door command and control capability that enables attackers to take control of the infected system.” This allows the attackers to perform reconnaissance, look for valuable assets, and perhaps upload additional malware and attacker tools. This command and control capability may enable attackers to shut down access to the system by keeping administrators and other IT personnel from gaining access.

KeyPass is not alone in raising the bar in the escalating ransomware war, Kothari pointed out. “Recent tricks built into ransomware include the use of deception to hide the attack until the latest possible moment, so that many files are encrypted and you are truly held hostage by loss of access to the data.” Attackers do this by randomizing the encryption of files and moving more slowly to encrypt the files. Many of the tools to detect ransomware look for a large volume of files being encrypted over a short period of time. If the attackers can move slowly and hide this effort, they improve their chances of success.

“Finally, attackers are also going directly after the hard drive code [the master boot record],” Kothari said. “If they can encrypt that, the rest of the data on the hard drive is inaccessible.”

Adam Laub, SVP of product marketing for the Hawthorne, N.J.-based STEALTHbits Technologies, stated, “The embedded manual control option is almost certainly designed for instances where KeyPass has infected a user or system within a legitimate enterprise network. Working under the context and control of a user in this type of environment, attackers can quickly move laterally through sophisticated techniques like pass-the-hash, harvesting credentials from other systems before escalating their privileges to administrator status.” Laub added launching KeyPass after admin rights have been obtained would lead to far greater damage at enterprise-wide scale, versus leveraging the initially compromised user’s relatively limited access rights in comparison.

Laub advised limiting access rights on the systems KeyPass and other ransomware variants are likely to infect first is one of the best defenses against broad scale attack and infection. “Limiting access rights to file data in shared repositories is also highly effective in limiting the damage that can be done by an attacker using a standard user’s access privileges.”