SENTINELONE DETECTS KEYPASS RANSOMWARE
KeyPass is a new ransomware threat that has hit at least 20 countries since August 7th and appears to be spreading still further by means of fake software installers.
The victim’s data is encrypted with a “.KEYPASS” extension and ransom notes are deposited in each directory that is successfully encrypted. The ransom note demands $300 and attempts to reassure the victim by offering to send proof of decryption ability in advance of payment. The victim is encouraged to send the attacker a sample of a small encrypted file. After doing so, according to the note, the victim will receive an unencrypted version of the file for free. Clearly, the attackers are adopting the same level of concern for ‘user experience’ as legitimate software developers in order to maximize their profits.
As can be seen in the accompanying video, SentinelOne customers are automatically protected from KeyPass.
The agent detects the malicious activity immediately, and the malware is then deleted. While deletion is expected behavior when the SentinelOne policy is set to ‘Protect’, in the demonstration we use the ‘Detect-only’ policy in order to observe the ransomware’s behavior.