Executive Summary
The Key Group ransomware family was first revealed on January 6, 2023, continuing their operations since then. EclecticIQ researchers assess with high confidence, the Key Group ransomware gang is primarily a Russian speaking, financially motivated threat group using Telegram channel keygroup777Tg for the negotiation of ransoms.[1]
Key Group has an additional private (invite only) Telegram channel to share information between members such as doxing and offensive tool sharing. According to Telegram messages, EclecticIQ analysts assess with low confidence, that since June 29, 2023 threat actors are likely using NjRAT - a remote administration tool (RAT) - to remotely access victim devices. [2]
Key Group ransomware uses CBC-mode Advanced Encryption Standard (AES) to encrypt files and sends personally identifiable information (PII) of victim devices to threat actors. The ransomware uses the same static AES key and initialization vector (IV) to recursively encrypt victim data and change the name of encrypted files with the keygroup777tg extension.
EclecticIQ analysts assess that Key Group ransomware can be classified as a low-sophisticated threat actor. The ransomware samples contained multiple cryptographic mistakes that enabled EclecticIQ to create a decryption tool for this specific ransomware version built in August 03,2023.
Article Link: Decrypting Key Group Ransomware: Emerging Financially Motivated Cyber Crime Gang