Connect with us

Hi, what are you looking for?



Free Decryptor Available for ‘Key Group’ Ransomware

EclecticIQ has released a free decryption tool to help victims of the Key Group ransomware recover their data without paying a ransom.

Cyber intelligence firm EclecticIQ on Thursday announced the release of a free decryption tool to help victims of the Key Group ransomware recover their data without having to pay a ransom.

Also known as keygroup777, Key Group is a Russian-speaking cybercrime actor known for selling personally identifiable information (PII) and access to compromised devices, as well as extorting victims for money.

The group has been observed using private Telegram channels to communicate with members and share details on offensive tools. Based on this communication, EclecticIQ believes that the group started using NjRAT for remote access to victim devices.

Key Group first introduced its ransomware family on January 6 and has since continued to use it in attacks.

On the victim machine, the Key Group ransomware deletes volume shadow copies (using off-the-shelf tools) and backups made with the Windows Server Backup tool, and attempts to disable security features such as the Windows Error Recovery screen and the Windows Recovery Environment.

The ransomware can also disable the update mechanisms of anti-malware tools from various vendors, including Avast, ESET, and Kaspersky.

While analyzing the threat, EclecticIQ’s security researchers discovered several cryptographic errors that allowed them to develop a decryptor for the ransomware, to help victims.

Advertisement. Scroll to continue reading.

The researchers observed that the ransomware employs AES encryption and uses a base64-encoded static key to encrypt the victims’ files, without applying enough salt to the encrypted data.

“The threat actor tried to increase the randomness of the encrypted data by using a cryptographic technique called salting. The salt was static and used for every encryption process which poses a significant flaw in the encryption routine,” EclecticIQ explains.

In the ransom note dropped on the victims’ computers, however, the attackers claimed that the files were encrypted with a military-grade encryption algorithm and that the data could be recovered only by paying a ransom.

EclecticIQ says its free decryption tool can be used to decrypt files that have the .keygroup777tg extension, but warns that the tool is experimental and it might not work on all Key Group ransomware samples.

The tool, a Python script available at the bottom of EclecticIQ’s report on Key Group ransomware, only works with samples compiled after August 3.

Related: Free Decryptors Released for BianLian, MegaCortex Ransomware

Related: Free Decryptor Available for LockerGoga Ransomware Victims

Related: Free Decryptors Released for AstraLocker Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


US payments giant NCR has confirmed being targeted in a ransomware attack for which the BlackCat/Alphv group has taken credit.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.