The Key Group ransomware [1] [2] [3] [4] [5] [6], a type of ransomware belonging to the Xorist malware family [1], is a significant threat that encrypts various file types [4], rendering them unusable [4]. However, a vulnerability has been discovered in this ransomware, allowing for the recovery of encrypted files [6].
Description
The Key Group ransomware has two versions, one marking encrypted files with the ‘.keygroup’ extension and the other with ‘.keygroup777.’ It is operated by a financially motivated threat group primarily active in Russian-speaking regions. This ransomware utilizes the Advanced Encryption Standard (AES) to encrypt files and adds the KEYGROUP777TG extension to the names of encrypted files.
Dutch security company EclecticIQ has successfully decrypted files with the .KEYGROUP777TG extension by exploiting a vulnerability in the ransomware’s cryptography. They have developed a specific decryption tool, a Python script [1] [3] [6], which can be found at the end of an article providing additional details about the ransomware [6]. This tool allows victims to recover their data without having to pay the Key Group ransom.
It is important to note that the decryption tool may not be effective against future versions of the ransomware if the hackers modify their malware in response. To protect against the Key Group ransomware [5], security teams should consider disabling non-essential remote desktop protocols, restricting application execution [5], and implementing a secure backup strategy [5]. Recent Telegram messages suggest that Key Group may be using the NjRAT remote administration tool to access victim devices [2].
EclecticIQ analysts have classified Key Group as a low-sophisticated threat actor due to cryptographic mistakes in their ransomware samples [2]. Cybersecurity experts have released a Python script for decrypting data compromised by Key Group ransomware [1]. It is advised not to comply with the ransom demands [4], as hackers may not provide the decryption keys even if paid [4], and there is a risk of further exploitation and additional security or privacy concerns [4].
Conclusion
The discovery of a vulnerability in the Key Group ransomware and the development of a decryption tool have significant implications for victims. They can now recover their encrypted files without having to pay the ransom. However, it is crucial to remain vigilant, as future versions of the ransomware may not be susceptible to the decryption tool. To mitigate the risk of falling victim to the Key Group ransomware, security teams should implement preventive measures such as disabling non-essential remote desktop protocols, restricting application execution [5], and maintaining secure backups. Additionally, it is important for individuals and organizations to refrain from complying with ransom demands, as there is no guarantee that the hackers will provide the decryption keys. By staying informed and taking proactive security measures, users can protect themselves against this threat and minimize the potential impact on their data and systems.
References
[1] https://www.pcrisk.com/removal-guides/24740-key-group-ransomware
[2] https://blog.eclecticiq.com/decrypting-key-group-ransomware-emerging-financially-motivated-cyber-crime-gang
[3] https://www.techzine.eu/news/security/110818/free-decryptor-for-key-group-ransomware-helps-with-data-recovery/
[4] https://www.enigmasoftware.com/keygroupransomware-removal/
[5] https://www.darkreading.com/threat-intelligence/key-group-ransomware-decryptor
[6] https://borncity.com/win/2023/09/03/decryptor-for-key-group-ransomware-available/
