Jump to content

Files photos video not open due to .KEYPASS

Recommended Posts

Hi everyone, i need your help to solve the problem. hope you guys help me. 

my files, folders are affected by .KEYPASS extension encryption. i have no idea about it. due to this, every folders, files are affected and not open and i get message for pay money to open this. please help me guys.



Ceiling - Fan (1).rfa.KEYPASS

Link to post
Share on other sites

hi, i've dealt with this problem, since yesterday. and there's no information whatsoever, about keypass in the website. 
So, in my case, we have several computers, connected via network. we don't use server.

The infection, spread suddenly, yesterday, we've determined the source of the infection, from one of computer in the network.
When the infection started, he didn't install anything, or browse any malicious website (Although I Cannot be 100% sure of this).
Anyway, in his computer, all the file, turns into *.CRAB, in the explorer, it stated KEYPASS File.
His computer is screwed, all of his files turned into .CRAB

Then, it also infect several other computers, but in other computers, the file turned into *.KEYPASS not *.CRAB.
So, CMIIW, probably this is another variant of .CRAB?
(Unfortunately, I cannot send you the original file, since, we don't know what cause it)

So, back to the story. after he realized that there's infection in his computer, he plugged his network cable out.
Since that moment, looks like the infection has stopped spreading.
How do I know?
Like, there's a folder, containing 10 file, only 3 was encypted, and 7 is still in it's original state.

My questions is, 
it's been 2 days, and that folder is still in that state. with 3 encrypted, and 7 still normal.
Has the infection really stop? or it's still lurking somewhere in the PC/ network?

Since, not all the file are encrypted, how do I safeguard it? Will back it up in an external harddisk is enough?
Please advice.

Link to post
Share on other sites

@kacipo GandCrab v2 used the .CRAB extension, however the current version is 4. That being said, I've been told by Michael Gillespie that GandCrab does seem to be distributed with the ransomware that's using the .KEYPASS extension, so the files with the .CRAB extension were more than likely encrypted by GandCrab. As for the ransomware using the .KEYPASS extension for encrypted files, Michael let me know that it may be a variant of the STOP ransomware, however that has yet to be confirmed. We're still looking for a copy of the ransomware itself.

If you're able to find any copies of the malicious executable that encrypted the files on these workstations, then please upload it to VirusTotal and post a link to the analysis in a reply for us to review.

Link to post
Share on other sites
  • 2 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...