nepalnepali 0 Posted August 9, 2018 Report Share Posted August 9, 2018 Hi everyone, i need your help to solve the problem. hope you guys help me. my files, folders are affected by .KEYPASS extension encryption. i have no idea about it. due to this, every folders, files are affected and not open and i get message for pay money to open this. please help me guys. !!!KEYPASS_DECRYPTION_INFO!!!.txt Ceiling - Fan (1).rfa.KEYPASS Quote Link to post Share on other sites
stapp 152 Posted August 9, 2018 Report Share Posted August 9, 2018 It is recommended that you upload a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:https://id-ransomware.malwarehunterteam.com/ Then paste a link to the results into a reply so that one of our experts can review it for you. Quote Link to post Share on other sites
GT500 854 Posted August 9, 2018 Report Share Posted August 9, 2018 ID Ransomware wasn't able to identify it:https://id-ransomware.malwarehunterteam.com/identify.php?case=17ed432148e42babc44db903fe0b2da8e3b7b113 I've asked our malware analysts to see what they can tell me. Quote Link to post Share on other sites
kacipo 0 Posted August 10, 2018 Report Share Posted August 10, 2018 hi, i've dealt with this problem, since yesterday. and there's no information whatsoever, about keypass in the website. So, in my case, we have several computers, connected via network. we don't use server. The infection, spread suddenly, yesterday, we've determined the source of the infection, from one of computer in the network. When the infection started, he didn't install anything, or browse any malicious website (Although I Cannot be 100% sure of this). Anyway, in his computer, all the file, turns into *.CRAB, in the explorer, it stated KEYPASS File. His computer is screwed, all of his files turned into .CRAB Then, it also infect several other computers, but in other computers, the file turned into *.KEYPASS not *.CRAB. So, CMIIW, probably this is another variant of .CRAB? (Unfortunately, I cannot send you the original file, since, we don't know what cause it) So, back to the story. after he realized that there's infection in his computer, he plugged his network cable out. Since that moment, looks like the infection has stopped spreading. How do I know? Like, there's a folder, containing 10 file, only 3 was encypted, and 7 is still in it's original state. My questions is, it's been 2 days, and that folder is still in that state. with 3 encrypted, and 7 still normal. Has the infection really stop? or it's still lurking somewhere in the PC/ network? Since, not all the file are encrypted, how do I safeguard it? Will back it up in an external harddisk is enough? Please advice. Thanks Quote Link to post Share on other sites
GT500 854 Posted August 10, 2018 Report Share Posted August 10, 2018 @kacipo GandCrab v2 used the .CRAB extension, however the current version is 4. That being said, I've been told by Michael Gillespie that GandCrab does seem to be distributed with the ransomware that's using the .KEYPASS extension, so the files with the .CRAB extension were more than likely encrypted by GandCrab. As for the ransomware using the .KEYPASS extension for encrypted files, Michael let me know that it may be a variant of the STOP ransomware, however that has yet to be confirmed. We're still looking for a copy of the ransomware itself. If you're able to find any copies of the malicious executable that encrypted the files on these workstations, then please upload it to VirusTotal and post a link to the analysis in a reply for us to review. Quote Link to post Share on other sites
GT500 854 Posted August 16, 2018 Report Share Posted August 16, 2018 For anyone who hasn't seen it yet, here's an article covering what is currently known about this ransomware:https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/ Quote Link to post Share on other sites
GT500 854 Posted October 25, 2018 Report Share Posted October 25, 2018 Bitdefender has been working with law enforcement agencies to make a decrypter for versions 1, 4, and 5 of GandCrab. You can find more information at the following link:https://www.bleepingcomputer.com/news/security/free-decrypter-available-for-the-latest-gandcrab-ransomware-versions/ Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.