Free Key Group ransomware decryptor helps victims recover data

Researchers have seized upon a vulnerability in the encryption methodology employed by the Key Group ransomware, leading to the development of a decryption tool. This tool enables certain victims to recover their files without any cost. The decryptor was crafted by security experts from the threat intelligence company EclecticIQ and is effective for versions of the malware created in early August.

The attackers had previously asserted that their malware employed “military-grade AES encryption.” However, it was discovered that the locker relies on a static salt for all encryption procedures, rendering the encryption somewhat predictable and allowing for its reversal.

EclecticIQ elaborated on the ransomware’s encryption process, stating, “[Key Group ransomware] encrypts victim data using the AES algorithm in Cipher Block Chaining (CBC) mode with a given static password.” They further explained that the password is derived from a key using the Password-Based Key Derivation Function 2 (PBKDF2) with a fixed salt.

Key Group profile

Key Group, a threat actor primarily operating in the Russian-speaking sphere, emerged onto the cyber threat landscape in early 2023. Their modus operandi involves targeting diverse organizations, infiltrating their systems, exfiltrating data, and subsequently engaging in ransom negotiations via private Telegram channels.

According to Russian threat intelligence firm BI.ZONE, Key Group’s ransomware is built upon the Chaos 4.0 builder. Furthermore, EclecticIQ has observed the group’s activities on Russian-speaking darknet markets, where they trade stolen data, SIM cards, share doxing information, and offer remote access to IP cameras.

Following the encryption process, Key Group erases the original files on the victim’s system and appends the .KEYGROUP777TG file extension to all affected entries. To thwart system and data restoration without compliance with their ransom demands, the attackers employ Windows “living-off-the-land binaries,” often referred to as LOLBins, to delete Volume Shadow copies.

Additionally, the malware takes measures to manipulate the host addresses of antivirus products running on the compromised system, preventing them from obtaining updates and thereby impairing their ability to detect and mitigate the threat effectively.

How to use the decryptor

The Key Group ransomware decryptor is a Python script, which is provided in Appendix A of the report. Users can save this script as a Python file and execute it using the following command:

The script’s function is to scan the specified directory and its subdirectories, searching for files with the .KEYGROUP777TG extension. It will then proceed to decrypt and store the unlocked content under its original filename, decoded from the base64 string.

It’s essential to note that certain Python libraries are necessary for this process, with the cryptography package being particularly crucial.

Before utilizing any decryptor, it is always advisable to create a backup of your encrypted data. This precaution is essential because the decryption process may carry a risk of irreversible data corruption and permanent data loss.

The release of EclecticIQ’s decryptor may prompt Key Group to address vulnerabilities in their ransomware, potentially making future versions more challenging to decrypt. Nevertheless, this tool remains invaluable for individuals affected by the current versions of the ransomware.