Cyber intelligence firm EclecticIQ on Thursday announced the release of a free decryption tool to help victims of the Key Group ransomware recover their data without having to pay a ransom.
Also known as keygroup777, Key Group is a Russian-speaking cybercrime actor known for selling personally identifiable information (PII) and access to compromised devices, as well as extorting victims for money.
The group has been observed using private Telegram channels to communicate with members and share details on offensive tools. Based on this communication, EclecticIQ believes that the group started using NjRAT for remote access to victim devices.
Key Group first introduced its ransomware family on January 6 and has since continued to use it in attacks.
On the victim machine, the Key Group ransomware deletes volume shadow copies (using off-the-shelf tools) and backups made with the Windows Server Backup tool, and attempts to disable security features such as the Windows Error Recovery screen and the Windows Recovery Environment.
The ransomware can also disable the update mechanisms of anti-malware tools from various vendors, including Avast, ESET, and Kaspersky.
While analyzing the threat, EclecticIQ’s security researchers discovered several cryptographic errors that allowed them to develop a decryptor for the ransomware, to help victims.
The researchers observed that the ransomware employs AES encryption and uses a base64-encoded static key to encrypt the victims’ files, without applying enough salt to the encrypted data.
“The threat actor tried to increase the randomness of the encrypted data by using a cryptographic technique called salting. The salt was static and used for every encryption process which poses a significant flaw in the encryption routine,” EclecticIQ explains.
In the ransom note dropped on the victims’ computers, however, the attackers claimed that the files were encrypted with a military-grade encryption algorithm and that the data could be recovered only by paying a ransom.
EclecticIQ says its free decryption tool can be used to decrypt files that have the .keygroup777tg extension, but warns that the tool is experimental and it might not work on all Key Group ransomware samples.
The tool, a Python script available at the bottom of EclecticIQ’s report on Key Group ransomware, only works with samples compiled after August 3.