EclecticIQ assesses the Key Group ransomware gang as a financially motivated, Russian-speaking threat group that negotiates via private Telegram channels and has used NjRAT for remote access. The group encrypts data with AES-CBC using a static key and has cryptographic flaws that enabled researchers to develop a decryption tool for a specific version. Hashtags: #KeyGroupRansomware #NjRAT #DARKZEUS #DarkStore
Keypoints
- Key Group is a Russian-speaking financial-gain threat actor that operates via private Telegram channels to share information and communicate with members.
- They have used NjRAT, a remote administration tool, to remotely access victim devices (observed in testing of NjRAT in private channels).
- Key Group ransomware encrypts files using AES in CBC mode with a static key and fixed salt, and renames files with a .keygroup777tg extension.
- Cryptographic flaws in the ransomware version allowed EclecticIQ to develop a decryptor/tool for that sample (Appendix A).
- The group exfiltrates victim network metadata (browser fingerprint, IP, geo, infection time) via yip.su and iplogger.org.
- They employ LOLBINs to delete backups and disable anti-malware updates, including VSS deletion and related boot/backup modifications.
- ECI recommends mitigations such as disabling RDP if not needed, applying application whitelisting, robust backups with offline/versioned storage, and testing restores.
MITRE Techniques
- [T1021] Remote Services – NjRAT remote administration tool used to remotely access victim devices. “Figure 2 shows Key Group ransomware members testing NjRAT malware: NjRAT panel shared by Key Group admin in private Telegram channel.”
- [T1071.001] Application Layer Protocol: Web Protocols – Telegram channel usage for negotiation and information sharing. “Key Group Telegram channel @keygroup777Tg” and private channels described for doxing and tool sharing.
- [T1132] Data Encoding: Base64 Encoding of Filenames – Base64 Encode File Name step in the decryption process. “It encodes the file name in Base64 format and stores it in the variable text.”
- [T1486] Data Encrypted for Impact – AES-CBC encryption of victim data with a static key and fixed salt. “Key Group ransomware uses AES encryption, implemented in C#, using the RijndaelManaged class, which is a symmetric encryption algorithm… Cipher Block Chaining (CBC) mode with a given static password.”
- [T1490] Inhibit System Recovery – Deleting Volume Shadow Copies and related boot/backup actions. “vssadmin delete shadows /all /quiet”, “wmic shadowcopy delete”, “bcdedit /set {default} bootstatuspolicy ignoreallfailures”, “bcdedit /set {default} recoveryenabled no”, “wbadmin delete catalog -quiet”.
- [T1562.001] Impair Defenses – Disable or modify security tools via hosts file redirection to block anti-malware updates. “redirected to localhost which means it will be dropped, effectively disabling anti-malware updates.”
- [T1132.001] Data Encoding: Base64 Encoding – (repeated) used to obfuscate file names during encryption/decryption workflow.
- [T1041] Exfiltration – Exfiltrates network metadata via yip.su to iplogger.org (evidence of data leaving victim), including browser fingerprint, IP, geo, and infection time. “Network metadata include web browser fingerprint, IP address, geo-location, and date-time when a victim got infected by ransomware.”
- [T1562.001] Impair Defenses (LOLBINs) – Use of LOLBINs to delete VSS and disable anti-malware updates (vssadmin, wmic, bcdedit, wbadmin).
Indicators of Compromise
- [File hash] MD5 – c2e1048e1e5130e36af297c73a83aff6, 09ce91b4f137a4cbc1496d3791c6e75b, and 4 more hashes
- [File hash] MD5 – d7d20a9d74a3f0b5b0b98de937ebbf85
- [File hash] MD5 – 7e1577b6e42d47b30ae597eee720d3b1
- [File hash] MD5 – 1ac0c10947e09efa8e730ea9e28d8382
- [File hash] MD5 – 604fd6351a04b871dc77b6c7ad24ff3c
- [Domain] yip.su – URL shortener used to forward to iplogger.org for network metadata collection
- [Domain] iplogger.org – Target domain collecting metadata
- [IP Address] 77.88.55.60 – Redirects anti-malware traffic via hosts file to a legitimate Yandex server
- [Filename extension] .keygroup777tg – Extension used for encrypted files