Cyber intelligence firm EclecticIQ on Thursday announced the release of a free decryption tool to help victims of the Key Group ransomware recover their data without having to pay a ransom.
Also known as keygroup777, Key Group is a Russian-speaking cybercrime actor known for selling personally identifiable information (PII) and access to compromised devices, as well as extorting victims for money.
The group has been observed using private Telegram channels to communicate with members and share details on offensive tools. Based on this communication, EclecticIQ believes that the group started using NjRAT for remote access to victim devices.
Key Group first introduced its ransomware family on January 6 and has since continued to use it in attacks.
On the victim machine, the Key Group ransomware deletes volume shadow copies (using off-the-shelf tools) and backups made with the Windows Server Backup tool, and attempts to disable security features such as the Windows Error Recovery screen and the Windows Recovery Environment.
The ransomware can also disable the update mechanisms of anti-malware tools from various vendors, including Avast, ESET, and Kaspersky.
While analyzing the threat, EclecticIQ’s security researchers discovered several cryptographic errors that allowed them to develop a decryptor for the ransomware, to help victims.
The researchers observed that the ransomware employs AES encryption and uses a base64-encoded static key to encrypt the victims’ files, without applying enough salt to the encrypted data.
“The threat actor tried to increase the randomness of the encrypted data by using a cryptographic technique called salting. The salt was static and used for every encryption process which poses a significant flaw in the encryption routine,” EclecticIQ explains.
In the ransom note dropped on the victims’ computers, however, the attackers claimed that the files were encrypted with a military-grade encryption algorithm and that the data could be recovered only by paying a ransom.
EclecticIQ says its free decryption tool can be used to decrypt files that have the .keygroup777tg extension, but warns that the tool is experimental and it might not work on all Key Group ransomware samples.
The tool, a Python script available at the bottom of EclecticIQ’s report on Key Group ransomware, only works with samples compiled after August 3.
Related: Free Decryptors Released for BianLian, MegaCortex Ransomware
Related: Free Decryptor Available for LockerGoga Ransomware Victims
Related: Free Decryptors Released for AstraLocker Ransomware
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
