News & Comment: KeyPass ransomware

KeyPass ransomware

NEWS: In the last few days, our anti-ransomware module has been detecting a new variant of malware – KeyPass ransomware. According to our information, the malware is propagated by means of fake installers that download the ransomware module.



Pravin Kothari, CEO, CipherCloud:

“Ransomware continues to rapidly evolve. Why?  Because ransom is the shortest path to getting your cash. The research and development by organized crime and nation states remains well funded and continues to bring a growing crop of malware tools into use globally.

KeyPass has benefited from this renewed investment in the development of malware tools by bring new capability into the hands of the cyberattackers. Rather than just the ransom, KeyPass provides a backdoor command and control capability that enables attackers to take control of the infected system. This allows the attackers to perform reconnaissance, look for valuable assets, and perhaps upload additional malware and attacker tools. This command and control capability may enable attackers to shut down access to the system by keeping administrators and other IT personnel gaining access.

KeyPass is not alone in raising the bar in the escalating ransomware war. Recent tricks built into ransomware include the use of deception to hide the attack until the latest possible moment, so that many files are encrypted and you are truly held hostage by loss of access to the data. Attackers do this by randomizing the encryption of files and moving more slowly to encrypt the files. Many of the tools to detect ransomware look for a large volume of files being encrypted over a short period of time. If the attackers can move move slowly, and hide this effort, they improve their chances of success. Finally, attackers are also going directly after your hard drive code (the master boot record). If they can encrypt that  the rest of the data on the hard drive is inaccessible.”


Adam Laub, senior vice president of product marketing, STEALTHbits Technologies:

“The embedded manual control option is almost certainly designed for instances where KeyPass has infected a user or system within a legitimate enterprise network.  Working under the context and control of a user in this type of environment, attackers can quickly move laterally through sophisticated techniques like Pass-the-Hash, harvesting credentials from other systems before escalating their privileges to Administrator status.  Launching KeyPass after Admin rights have been obtained would lead to far greater damage at enterprise-wide scale, versus leveraging the initially compromised user’s relatively limited access rights in comparison.

Limiting access rights on the systems KeyPass and other Ransomware variants are likely to infect first is one of the best defenses against broad scale attack and infection.  Limiting access rights to file data in shared repositories is also highly effective in limiting the damage that can be done by an attacker using a standard user’s access privileges.”


Paul Bischoff, privacy advocate,

“First off, the KeyPass ransomware should not be confused with KeePass, a legitimate password manager unlucky enough to use a similar name.

KeyPass is fairly similar to other ransomware that encrypts all the files on your system and demands money in exchange for the decryption key. One big difference is that the Trojan installer packs an additional option for attackers to take manual control of the infected system. Even if the victim pays up to decrypt their data, that remote control malware could still exist on the system and be used to carry out other attacks.

Researchers noted the malware was distributed through phony software installers and mostly infected devices in Brazil and Vietnam, although the ransom note text is in English. Although this might be a stretch, online gaming is huge in both of those countries, so the attackers might be targeting gamers.”


Tal Guest, principal product manager, Bomgar:

“KeyPass might have a new twist on the old ransomware attack, but it should be remembered that the mighty ransomware is thwarted by a practice as old as computers – backups. To beat ransomware you need an up to date backup that’s not connected to a computer that could fall victim to ransomware’s trap.

But if simple backups can defeat ransomware, why is it such a problem for so many? A lot of IT security advice sounds like health advice. Everyone knows they should eat right and exercise. But many people shrug off this guidance as they eat chips in front of the television. If organizations would just adopt some basic IT security best practices – perform back ups, monitor file activity, protect admin credentials, and run standard perimeter defenses like firewalls – they could keep KeyPass at bay.”