Pierluigi Paganini
September 01, 2023
Threat intelligence firm EclecticIQ released a free decryption tool for the Key Group ransomware (aka keygroup777) that allows victims to recover their data without paying a ransom.
The Key Group ransomware gang has been active since at least January 2023. EclecticIQ researchers believe that the financially-motivated gang is primarily Russian speaking.
The group is a low-sophisticated threat actor that focuses on financial gain by selling Personal Identifying Information (PII) or initial access to compromised devices and obtaining ransom money.
The group operates two Telegram channels, the channel keygroup777Tg for the negotiation of ransoms, and a private (invite only) Telegram channel used by members to share information on potential victims, doxing, and offensive tool sharing. EclecticIQ researchers reported that since June 29, 2023, the ransomware group is likely using the NjRAT RAT to remotely access victim devices.
The researchers noticed that the ransomware samples contained multiple cryptographic mistakes that allowed them to create a decryption tool for a specific ransomware version built on August 03, 2023.
“Key Group ransomware uses a base64 encoded static key N0dQM0I1JCM= to encrypt victims’ data. The threat actor tried to increase the randomness of the encrypted data by using a cryptographic technique called salting. The salt was static and used for every encryption process which poses a significant flaw in the encryption routine.” reads the report published by EclecticIQ. “These mistakes helped analysts to create a decryption tool for this specific version of Key Group ransomware.”
The tool is still a proof work and may not work on every Key Group ransomware sample.
The ransomware uses CBC-mode Advanced Encryption Standard (AES) to encrypt files and sends personally identifiable information (PII) to threat actors. The ransomware uses the same static AES key and initialization vector (IV) to recursively encrypt victim data and add the keygroup777tg extension to the filenames of the encrypted files.
The Key Group ransomware deletes volume shadow copies using living-off-the-land binaries (LOLBINs) and backups made with the Windows Server Backup tool.
The ransomware also disables updates from multiple anti-malware solutions (i.e Avast, ESET, and Kaspersky) by modifying the hosts file inside the Windows OS.
The ransomware also attempts to disable the automatic launch of the Windows Error Recovery screen and the Windows Recovery Environment after a failed boot.
The decryptor is a Python script reported in the report along with Indicators of Compromise (IoCs) for this threat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
