Files photos video not open due to .KEYPASS

[nepalnepali 0]

Hi everyone, i need your help to solve the problem. hope you guys help me. 

my files, folders are affected by .KEYPASS extension encryption. i have no idea about it. due to this, every folders, files are affected and not open and i get message for pay money to open this. please help me guys.

 

!!!KEYPASS_DECRYPTION_INFO!!!.txt

Ceiling - Fan (1).rfa.KEYPASS

[stapp 152]

It is  recommended that you upload a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

Then paste a link to the results into a reply so that one of our experts can review it for you.

[GT500 854]

ID Ransomware wasn't able to identify it:
https://id-ransomware.malwarehunterteam.com/identify.php?case=17ed432148e42babc44db903fe0b2da8e3b7b113

I've asked our malware analysts to see what they can tell me.

[kacipo 0]

hi, i've dealt with this problem, since yesterday. and there's no information whatsoever, about keypass in the website. 
So, in my case, we have several computers, connected via network. we don't use server.

The infection, spread suddenly, yesterday, we've determined the source of the infection, from one of computer in the network.
When the infection started, he didn't install anything, or browse any malicious website (Although I Cannot be 100% sure of this).
Anyway, in his computer, all the file, turns into *.CRAB, in the explorer, it stated KEYPASS File.
His computer is screwed, all of his files turned into .CRAB

Then, it also infect several other computers, but in other computers, the file turned into *.KEYPASS not *.CRAB.
So, CMIIW, probably this is another variant of .CRAB?
(Unfortunately, I cannot send you the original file, since, we don't know what cause it)

So, back to the story. after he realized that there's infection in his computer, he plugged his network cable out.
Since that moment, looks like the infection has stopped spreading.
How do I know?
Like, there's a folder, containing 10 file, only 3 was encypted, and 7 is still in it's original state.

My questions is, 
it's been 2 days, and that folder is still in that state. with 3 encrypted, and 7 still normal.
Has the infection really stop? or it's still lurking somewhere in the PC/ network?

Since, not all the file are encrypted, how do I safeguard it? Will back it up in an external harddisk is enough?
Please advice.
Thanks

[GT500 854]

@kacipo GandCrab v2 used the .CRAB extension, however the current version is 4. That being said, I've been told by Michael Gillespie that GandCrab does seem to be distributed with the ransomware that's using the .KEYPASS extension, so the files with the .CRAB extension were more than likely encrypted by GandCrab. As for the ransomware using the .KEYPASS extension for encrypted files, Michael let me know that it may be a variant of the STOP ransomware, however that has yet to be confirmed. We're still looking for a copy of the ransomware itself.

If you're able to find any copies of the malicious executable that encrypted the files on these workstations, then please upload it to VirusTotal and post a link to the analysis in a reply for us to review.

[GT500 854]

For anyone who hasn't seen it yet, here's an article covering what is currently known about this ransomware:
https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/

[GT500 854]

Bitdefender has been working with law enforcement agencies to make a decrypter for versions 1, 4, and 5 of GandCrab. You can find more information at the following link:
https://www.bleepingcomputer.com/news/security/free-decrypter-available-for-the-latest-gandcrab-ransomware-versions/