If your documents, photos and music does not open normally, their names replaced or .KEYPASS added at the end of their name then your computer is infected with a new KeyPass virus from a family of file-encrypting ransomware. Once launched, it have encrypted all files stored on a computer drives and attached network drives.
The KeyPass ransomware is a malicious software which created in order to encrypt personal files. It hijack a whole PC or its data and demand a ransom in order to unlock (decrypt) them. The developers of the KeyPass ransomware virus have a strong financial motive to infect as many PCs as possible. The files that will be encrypted include the following file extensions:
.menu, .xld, .xpm, .xx, .sb, .mdbackup, .wma, .wbz, .wmf, .fpk, .sidn, wallet, .accdb, .mcmeta, .png, .xls, .sidd, .py, .ppt, .xdl, .ibank, .bsa, .1, .psk, .bar, .odp, .xlgc, .bkp, .x3f, .bay, .cr2, .rar, .0, .zabw, .wbk, .srw, .sis, .7z, .xls, .1st, .big, .syncdb, .pef, .wcf, .rw2, .mef, .hvpl, .wpt, .xyp, .wp4, .wpa, .lrf, .xmind, .vfs0, .xbdoc, .wot, .wpd, .srf, .sie, .xlk, .wps, .crw, .wm, .ybk, .dmp, .zi, .wbm, .webp, .sum, .dxg, .pem, .hkdb, .gho, .ws, .tor, .js, .vdf, .wp5, .blob, .dwg, .wbd, .zip, .rwl, .wmv, .pak, .pptm, .sql, .bc7, .sr2, .hplg, .ysp, .erf, .orf, .lbf, .jpeg, .2bp, .3ds, .vcf, .odb, .x, .kdb, .fsh, .tax, .layout, .jpe, .arw, .raf, .m4a, .xlsm, .das, .itl, .y, .vtf, .svg, .odm, .rtf, .mdb, .wp7, .wp6, .wpd, .mpqge, .lvl, .xmmap, .slm, .dng, .wsh, .w3x, .wps, .pdd, .pdf, .wpw, .zw, .itm, .wpl, .xlsm, .p12, .bkf, .rim, .wpg, .ai, .docx, .desc, .wmv, .kdc, .xll, .snx, .xlsb, .fos, .p7b, .x3d, .ztmp, .pfx, .zdb, .cer, .docm, .wbc, .r3d, .wotreplay, .wsc, .der, .css, .mov, .map, .yal, .pptx, .dbf, .wire, .vpp_pc, .x3f, .ltx, .db0, .wmo, .dazip, .ods, .forge, .kf, .ntl, .wmd, .nrw, .wsd, .mdf, .xdb, .hkx, .xml, .wdb, .wdp, .indd, .rgss3a, .txt, .xar, .cfr, .bc6, .sav, .p7c, .avi, .wma, .re4, .bik, .epk, .mddata, .wri, .esm, .t13, .apk, .asset, .iwi, .ptx, .psd, .dba, .ff, .vpk, .mrwref, .wav, .xf, .mp4, .wpb, .dcr, .crt, .wpe, .webdoc, .z3d, .pst, .iwd, .upk, .zdc, .qic, .icxs
When the virus encrypts a file, it will add the .KEYPASS extension to every encrypted file. Once the ransomware finished enciphering of all files, it will create a file named “!!!KEYPASS_DECRYPTION_INFO!!!.txt” with ransom instructions on how to decrypt all photos, documents and music. You can see an one of the variants of the ransom demanding message below:
All your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.
You need to contact us by e-mail firstname.lastname@example.org send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $300.
This price avaliable if you contact us first 72 hours.
E-mail address to contact us:
Reserve e-mail address to contact us:
Your personal id:
Use the step-by-step guide below to remove KeyPass ransomware and try to recover encrypted personal files for free.
Table of contents
- How to decrypt .KEYPASS files
- How to remove KeyPass virus
- Recovering files encrypted by KeyPass ransomware
- How to prevent your system from becoming infected by KeyPass ransomware?
- Finish words
How to decrypt .KEYPASS files
The encryption algorithm is so strong that it is practically impossible to decrypt .KEYPASS files without the actual encryption key. The bad news is that the only way to get your files back is to pay ($300 in Bitcoins) makers of the KeyPass ransomware for a copy of the private (encryption) key.
With some variants of this virus, it’s possible to use Windows Shadow Copies or file recovery tools to restore photos, documents and music that have been encrypted by KeyPass ransomware virus. You can run the free utilities listed below in the blog post.
How to remove KeyPass virus
Manual removal does not always help to completely remove the KeyPass virus, as it is not easy to identify and delete components of virus and all malicious files from hard disk. Therefore, it is recommended that you use malicious software removal utility to completely remove KeyPass ransomware off your computer. Several free malware removal tools are currently available that can be used against the ransomware virus. The optimum method would be to use Zemana Anti-malware, Malwarebytes Free and Kaspersky Virus Removal Tool.
Remove KeyPass ransomware with Zemana Anti-malware
Zemana Anti-malware is a tool that can remove ransomware infections, ad-supported software, PUPs, browser hijacker infections and other malware from your computer easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of machine resources.
- Installing the Zemana is simple. First you will need to download Zemana on your Windows Desktop by clicking on the link below.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your web browser will display the “Save as” dialog box. Please save it onto your Windows desktop.
- Once downloading is done, please close all software and open windows on your computer. Next, start a file called Zemana.AntiMalware.Setup.
- This will run the “Setup wizard” of Zemana Anti Malware onto your PC system. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana AntiMalware (ZAM) will run and display the main window.
- Further, click the “Scan” button to perform a system scan for the KeyPass ransomware virus and other security threats. A system scan can take anywhere from 5 to 30 minutes, depending on your computer.
- After Zemana Anti-Malware has completed scanning your machine, Zemana Anti-Malware (ZAM) will show you the results.
- All found threats will be marked. You can get rid of them all by simply press the “Next” button. The utility will begin to get rid of KeyPass ransomware virus related files, folders and registry keys. Once that process is done, you may be prompted to reboot the personal computer.
- Close the Zemana Anti Malware (ZAM) and continue with the next step.
Delete KeyPass ransomware with Malwarebytes
We recommend using the Malwarebytes Free. You can download and install Malwarebytes to scan for and remove KeyPass ransomware from your machine. When installed and updated, the free malware remover will automatically scan and detect all threats exist on the computer.
Download MalwareBytes Anti Malware (MBAM) on your machine from the following link.
Category: Security tools
Update: April 15, 2020
When downloading is done, close all windows on your system. Further, open the file called mb3-setup. If the “User Account Control” dialog box pops up as shown in the figure below, press the “Yes” button.
It will open the “Setup wizard” that will allow you setup MalwareBytes AntiMalware on the computer. Follow the prompts and don’t make any changes to default settings.
Once setup is finished successfully, press Finish button. Then MalwareBytes Anti Malware (MBAM) will automatically start and you can see its main window as displayed in the figure below.
Next, click the “Scan Now” button . MalwareBytes Free tool will begin scanning the whole PC system to find out KeyPass ransomware virus and other security threats. Depending on your machine, the scan can take anywhere from a few minutes to close to an hour. During the scan MalwareBytes Anti Malware will search for threats exist on your system.
As the scanning ends, you’ll be shown the list of all found threats on your computer. Once you’ve selected what you want to remove from your computer press “Quarantine Selected” button.
The MalwareBytes AntiMalware will begin to remove KeyPass ransomware and other kinds of potential threats like malware and potentially unwanted applications. After disinfection is done, you may be prompted to reboot your machine. We suggest you look at the following video, which completely explains the process of using the MalwareBytes Anti-Malware (MBAM) to get rid of hijacker infections, adware and other malware.
If the problem with KeyPass ransomware is still remained
KVRT is a free removal utility that may be downloaded and use to remove ransomware viruss, adware, malware, PUPs, toolbars and other threats from your system. You can run this tool to scan for threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop from the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the downloading process is complete, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you’ll see the KVRT screen as shown below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to begin scanning your machine for the KeyPass ransomware virus and other trojans and harmful programs. During the scan Kaspersky virus removal tool will scan for threats present on your system.
When the system scan is finished, KVRT will show a list of found threats like below.
In order to remove all items, simply press on Continue to start a cleaning process.
Recovering files encrypted by KeyPass ransomware
In some cases, you can restore files encrypted by KeyPass ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted personal files.
Restore .KEYPASS encrypted files using Shadow Explorer
The Windows has a feature called ‘Shadow Volume Copies’ that can allow you to recover .KEYPASS files encrypted by the KeyPass ransomware virus. The solution described below is only to recover encrypted personal files to previous versions from the Shadow Volume Copies using a free tool called the ShadowExplorer.
Please go to the following link to download ShadowExplorer. Save it on your Desktop.
Category: Security tools
Update: September 15, 2019
When downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown below.
Double click ShadowExplorerPortable to run it. You will see the a window as on the image below.
In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point as shown in the following example (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as shown on the screen below.
Use PhotoRec to restore .KEYPASS files
Before a file is encrypted, the KeyPass virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file recover software like PhotoRec.
Download PhotoRec on your MS Windows Desktop from the link below.
Category: Security tools
Update: March 1, 2018
When the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as displayed on the screen below.
Choose a drive to recover as shown below.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as shown on the image below.
Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where restored files should be written, then click Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, press on Quit button. Next, open the directory where recovered files are stored. You will see a contents as shown in the figure below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your system from becoming infected by KeyPass ransomware?
Most antivirus apps already have built-in protection system against the virus. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your PC from KeyPass ransomware
Download CryptoPrevent on your computer from the following link.
Run it and follow the setup wizard. Once the install is finished, you will be displayed a window where you can choose a level of protection, as shown on the image below.
Now click the Apply button to activate the protection.
After completing the few simple steps above, your PC should be clean from KeyPass ransomware virus and other malware. Your PC system will no longer encrypt your files. Unfortunately, if the few simple steps does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help here.