Good news for Key Group ransomware victims: Free decryptor out now

Even ransomware operators make mistakes, and in the case of ransomware gang the Key Group, a cryptographic error allowed a team of security researchers to develop and release a decryption tool to restore scrambled files.

The decryptor only works on a specific version of the ransomware built around August 3, according to threat intel provider EclecticIQ, which spotted the criminals' mistakes and exploited them to develop the Python-based restoration tool. 

It's available for free: EclecticIQ published the Python script on Thursday in a report about the Russian-speaking gang. Check out the details, and scroll way down to Appendix A for the smart script. 

If you are a Key Group ransomware victim, we'd suggest you look into the above before too long, in case the gang catches wind of the decryption tool and rewrites its malware accordingly — or changes its business model altogether.

"Key Group ransomware uses AES encryption, implemented in C#, using the RijndaelManaged class, which is a symmetric encryption algorithm," EclecticIQ researcher Arda Büyükkaya wrote.

It encrypts victims' data using AES in CBC mode using a key derived from a fixed password and fixed salt, Büyükkaya said. And this is where the gang screwed up, we're told: that fixed salt with a fixed password. That makes it pretty trivial to write a decryption routine for the ransomwared files for as you know all the secrets needed to reverse the encryption.

"The ransomware uses the same static AES key and initialization vector (IV) to recursively encrypt victim data and change the name of encrypted files with the keygroup777tg extension," Büyükkaya said.

• Got Conti? Here's the ransomware cure to avoid paying up
• Got Conti? Here's the ransomware cure to avoid paying up
• Malware loader lowdown: The big 3 responsible for 80% of attacks so far this year
• FYI: There's another BlackCat ransomware variant on the prowl

This static encryption key, along with "multiple cryptographic mistakes," allowed EclecticIQ to reverse engineer the malware, and develop a decryptor for this particular version.

Despite its mistakes, the gang still believes it is using a "military-grade encryption algorithm," and has been telling victims that they have no option other than paying the ransom demand if they want to restore their data. Such is PR.

The threat intel team also describes Key Group, which has only been around since January, as a "low-sophisticated threat actor," which is pretty damning.

In addition to the gang's public Telegram channel, which it uses to negotiate ransom payments, EclecticIQ analysts say they've also seen Key Group use a private Telegram channel for selling and sharing SIM cards, doxing data, and remote access to IP camera servers. ®