New KeyPass ransomware discovered

walden, system, systems, accordion, backup, back, up, ransom, ware, ransomware, data, recovery, critical, protection, walden systems, virus, security, nas, network storage
The Accordion system converts ordinary external HD into a NAS box and enables you to backup data using any usb based storage device whether it is RAID, SATA, ATA, IDE, SSD, or even CF-card. Accordion backup appliance is a self contained device that can utilize any external storage for backing up data. You can utilize existing excess storage on existing workstations or servers. You can use existing NAS storage or you can use any usb based storage device. Accordion is agnostic when it comes to where it backs up to or what technology is used for backup.



     A new variant of the KeyPass ransomware has been discovered in August and it uses new techniques like manual control to customize its encryption process. Researchers at Kaspersky Lab stated that it is being propagated by fake installers that download the ransomware module. The information contained in the executable PE header looks like the trojan was created recently. The trojan sample discovered was written in C++ and compiled in MS Visual studio according to researchers. Research shows that samples of the malware have been mainly found in Brazil and Vietnam.

     Once on the victim's computer, the trojan copies its executable to the local app data folder (%LocalAppData%) and launches it. It then deletes itself from the original location. In the next step, the trojan generates several copies of its own process to pass along the encryption key and victim ID as command line arguments. KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. It skips files located in a number of directories, the paths to which are hardcoded into the sample. Each of these encrypted files gets the extension ".KEYPASS" and a ransom notes named "!!!KEYPASS_DECRYPTION_INFO!!!.txt" gets added in every encrypted directory. If the command and control is inaccessible, the trojan can use a hardcoded key and ID. That implies that if the files were encrypted offline, it wouldn't be difficult to decrypt the victim's files.




     The trojan contains a form that is hidden by default but also contains manual control. What that means it its form can be shown after pressing a special button on the keyboard. This capability suggests that the criminals behind the trojan may intend to use it in manual attacks. While this feature does not mean much for the victim, it is just a characteristic that researchers found notable since it is uncommon among other ransomware families. This form allows the hacker to customize the encryption process by changing parameters as encryption key, name of ransom note, text of ransom note, victim ID, extension of the encrypted files, and list of paths to be excluded from the encryption. Due to the ability of manual encryption, the hacker can easily change the price of the decryption. The malware operates automatically by default. However, if the hacker somehow gained remote control of the infected machine, the Trojan allows the hacker to modify the default encryption parameters.

     Users can protect themselves from the KeyPass ransomware by always having backups that are segregated from the workstations such as Walden System's Accordion . One of the benefits of such systems is that the backups can't be seen by the infected machine when the malware attempts to scan for accessible network files. Another benefit is that since no software is installed on the workstation, malware can't shutdown the backup from the infected machine. Other precautions to protect against malware include installing software only from the trusted sources, using only strong passwords for RDP access and using a reliable security solution.