Multiple researchers have identified a dangerous new variant of KeyPass ransomware, featuring a manual-control functionality, and according to Kaspersky Lab, the modified version mainly targets developing countries.
“For now, the most targeted regions are mainly developing countries – the modification primarily targets Brazil (19.51%) and Vietnam (14.63%). As the malware continues to spread worldwide via fake installers that download the ransomware module, experts have noticed a distinguishing feature: it can be used for manual attacks,” a Kaspersky Lab spokesperson wrote.
When the Trojan starts on the victim’s computer, it copies its executable to %LocalAppData%. After the executable launches, the malware then deletes itself from the original location but propagates multiple copies of its own process, “passing the encryption key and victim ID as command line arguments,” researchers wrote in a blog post.
The malware reportedly uses a simple scheme to encrypt data at the beginning of each file. Designed by the Trojan’s developers, the symmetric algorithm AES-256 is in CipherFeedback (CFB) mode with zero IV and the same 32-byte key for all files.
The MalwareHunter Team said that the variant, noticed during the late evening hours on 8 August, received 100 submissions to IDR from more than 20 countries, adding that the KeyPass Ransomware, “is spreading all over the world.”
Kaspersky Lab researchers took particular interest in the KeyPass Trojan’s ability to take manual control. Researchers wrote, “The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This capability might be an indication that the criminals behind the Trojan intend to use it in manual attacks."
“The capability to perform manual control is truly worrisome since it provides criminals behind the Trojan an opportunity to customize the malware. It might be an indication that the era of mass-scale extortions is gone and now we might be facing a growing trend of individually targeted ransomware attacks,” said Fedor Sinitsyn, security researcher, Kaspersky Lab.