Security

CSO

Good news for Key Group ransomware victims: Free decryptor out now

That's what we call a static shock


Even ransomware operators make mistakes, and in the case of ransomware gang the Key Group, a cryptographic error allowed a team of security researchers to develop and release a decryption tool to restore scrambled files.

The decryptor only works on a specific version of the ransomware built around August 3, according to threat intel provider EclecticIQ, which spotted the criminals' mistakes and exploited them to develop the Python-based restoration tool. 

It's available for free: EclecticIQ published the Python script on Thursday in a report about the Russian-speaking gang. Check out the details, and scroll way down to Appendix A for the smart script. 

If you are a Key Group ransomware victim, we'd suggest you look into the above before too long, in case the gang catches wind of the decryption tool and rewrites its malware accordingly — or changes its business model altogether.

"Key Group ransomware uses AES encryption, implemented in C#, using the RijndaelManaged class, which is a symmetric encryption algorithm," EclecticIQ researcher Arda Büyükkaya wrote.

It encrypts victims' data using AES in CBC mode using a key derived from a fixed password and fixed salt, Büyükkaya said. And this is where the gang screwed up, we're told: that fixed salt with a fixed password. That makes it pretty trivial to write a decryption routine for the ransomwared files for as you know all the secrets needed to reverse the encryption.

"The ransomware uses the same static AES key and initialization vector (IV) to recursively encrypt victim data and change the name of encrypted files with the keygroup777tg extension," Büyükkaya said.

This static encryption key, along with "multiple cryptographic mistakes," allowed EclecticIQ to reverse engineer the malware, and develop a decryptor for this particular version.

Despite its mistakes, the gang still believes it is using a "military-grade encryption algorithm," and has been telling victims that they have no option other than paying the ransom demand if they want to restore their data. Such is PR.

The threat intel team also describes Key Group, which has only been around since January, as a "low-sophisticated threat actor," which is pretty damning.

In addition to the gang's public Telegram channel, which it uses to negotiate ransom payments, EclecticIQ analysts say they've also seen Key Group use a private Telegram channel for selling and sharing SIM cards, doxing data, and remote access to IP camera servers. ®

Send us news
5 Comments

2.5M patients infected with data loss in Norton Healthcare ransomware outbreak

AlphV lays claims to the intrusion

Scores of US credit unions offline after ransomware infects backend cloud outfit

Supply chain attacks: The gift that keeps on giving

Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets

The Russians are coming! Err, they've already infiltrated UK, US inboxes

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

BlackBerry squashes plan to spin out its IoT biz

Board and incoming CEO decide reorganizing is better than splitting

Dump C++ and in Rust you should trust, Five Eyes agencies urge

Memory safety vulnerabilities need to be crushed with better code

Meta starts rolling out end-to-end encryption in Facebook Messenger

Surfing the cryptographic wave

BlackCat ransomware crims threaten to directly extort victim's customers

Accounting software firm Tipalti says it’s investigating alleged break-in of its systems

Black Basta ransomware operation nets over $100M from victims in less than two years

Assumed Conti offshoot averages 7 figures for each successful attack but may have issues with, er, 'closing deals'

Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media

Also: NXP China attack, Australia can't deliver on ransom payment ban (yet), and Justin Sun's very bad month

Cisco intros AI to find firewall flaws, warns this sort of thing can't be free

Predicts cyber crims will find binary brainboxes harder to battle

Polish train maker denies claims its software bricked rolling stock maintained by competitor

Says it was probably hacked, which isn't good news either