Researchers released a free decryptor for the Key Group ransomware

Researchers released a free decryptor for the Key Group ransomware that allows victims to recover their data without paying a ransom.

Threat intelligence firm EclecticIQ released a free decryption tool for the Key Group ransomware (aka keygroup777) that allows victims to recover their data without paying a ransom.

The Key Group ransomware gang has been active since at least January 2023. EclecticIQ researchers believe that the financially-motivated gang is primarily Russian speaking.

The group is a low-sophisticated threat actor that focuses on financial gain by selling Personal Identifying Information (PII) or initial access to compromised devices and obtaining ransom money.

The group operates two Telegram channels, the channel keygroup777Tg for the negotiation of ransoms, and a private (invite only) Telegram channel used by members to share information on potential victims, doxing, and offensive tool sharing. EclecticIQ researchers reported that since June 29, 2023, the ransomware group is likely using the NjRAT RAT to remotely access victim devices.

The researchers noticed that the ransomware samples contained multiple cryptographic mistakes that allowed them to create a decryption tool for a specific ransomware version built on August 03, 2023.

“Key Group ransomware uses a base64 encoded static key N0dQM0I1JCM= to encrypt victims’ data. The threat actor tried to increase the randomness of the encrypted data by using a cryptographic technique called salting. The salt was static and used for every encryption process which poses a significant flaw in the encryption routine.” reads the report published by EclecticIQ. “These mistakes helped analysts to create a decryption tool for this specific version of Key Group ransomware.”

The tool is still a proof work and may not work on every Key Group ransomware sample.

The ransomware uses CBC-mode Advanced Encryption Standard (AES) to encrypt files and sends personally identifiable information (PII) to threat actors. The ransomware uses the same static AES key and initialization vector (IV) to recursively encrypt victim data and add the keygroup777tg extension to the filenames of the encrypted files.

The Key Group ransomware deletes volume shadow copies using living-off-the-land binaries (LOLBINs) and backups made with the Windows Server Backup tool.

The ransomware also disables updates from multiple anti-malware solutions (i.e Avast, ESET, and Kaspersky) by modifying the hosts file inside the Windows OS.

The ransomware also attempts to disable the automatic launch of the Windows Error Recovery screen and the Windows Recovery Environment after a failed boot.

The decryptor is a Python script reported in the report along with Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.