Multiple researchers have identified a dangerous new variant of KeyPass ransomware, featuring a manual-control functionality, and according to Kaspersky Lab, the modified version mainly targets developing countries.
“For now, the most targeted regions are mainly developing countries – the modification primarily targets Brazil (19.51%) and Vietnam (14.63%). As the malware continues to spread worldwide via fake installers that download the ransomware module, experts have noticed a distinguishing feature: it can be used for manual attacks,” a Kaspersky Lab spokesperson wrote.
When the Trojan starts on the victim’s computer, it copies its executable to %LocalAppData%. After the executable launches, the malware then deletes itself from the original location but propagates multiple copies of its own process, “passing the encryption key and victim ID as command line arguments,” researchers wrote in a blog post.
The malware reportedly uses a simple scheme to encrypt data at the beginning of each file. Designed by the Trojan’s developers, the symmetric algorithm AES-256 is in CipherFeedback (CFB) mode with zero IV and the same 32-byte key for all files.
No tags.
