Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
Hackers made an unforgivable mistake in the process of hashing user files.
Cybersecurity researchers took advantage of a vulnerability in the encryption scheme of the ransomware software Key Group and developed a tool that will allow many victims to recover their files absolutely free of charge.
The decryptor was created by specialists from EclecticIQ and works with versions of the Key Group malware collected at the beginning of this August.
The attackers previously claimed that their software uses " military-grade AES encryption." This may be true, but the ransomware made a mistake by using a static salt in all cryptographic processes, which made the overall encryption scheme predictable and reversible.
The ransomware group Key Group started its activity earlier this year. It attacked various organizations, stole data from hacked systems, and then used closed Telegram channels to negotiate a ransom.
In March, cybersecurity researchers at BI. ZONE reported that the Key Group cryptographer is based on the Chaos 4.0 ransomware designer.
EclecticIQ specialists, in turn, found out what the group does on the darknet. Its operators sell stolen data, publish information for deanonymization, provide remote access to IP cameras, and much more.
Upon completion of the encryption process, the Key Group malware transfers the encrypted files to a new "container" with the extension". KEYGROUP777TG", and deletes all the original data.
Attackers use legitimate Windows binaries, so-called LOLBins, to delete shadow copies of the volume, thereby preventing system and data recovery without paying a ransom.
Moreover, the malware changes the host addresses of antivirus products running on the compromised system to prevent them from receiving fresh updates.
The Key Group decryptor developed by EclecticIQ is a regular Python script that users can run with the following command if they have Python installed on Windows:
The script scans the directory from which it was launched, along with all subdirectories, for files with the extension ".KEYGROUP777TG", decrypts and saves the contents with the original file name.
As mentioned above, the decryptor requires Python installed, as well as the cryptography library .
Experts recommend making a backup copy of the encrypted files before running the script, because if the process fails, it can lead to permanent damage and data loss.
The release of the decryptor by EclecticIQ specialists may encourage attackers responsible for developing the Key Group cryptographer to fix vulnerabilities in their software, which will make it difficult to decrypt future versions. However, the tool remains extremely valuable for victims affected by current versions of ransomware.
Cybersecurity researchers took advantage of a vulnerability in the encryption scheme of the ransomware software Key Group and developed a tool that will allow many victims to recover their files absolutely free of charge.
The decryptor was created by specialists from EclecticIQ and works with versions of the Key Group malware collected at the beginning of this August.
The attackers previously claimed that their software uses " military-grade AES encryption." This may be true, but the ransomware made a mistake by using a static salt in all cryptographic processes, which made the overall encryption scheme predictable and reversible.
The ransomware group Key Group started its activity earlier this year. It attacked various organizations, stole data from hacked systems, and then used closed Telegram channels to negotiate a ransom.
In March, cybersecurity researchers at BI. ZONE reported that the Key Group cryptographer is based on the Chaos 4.0 ransomware designer.
EclecticIQ specialists, in turn, found out what the group does on the darknet. Its operators sell stolen data, publish information for deanonymization, provide remote access to IP cameras, and much more.
Upon completion of the encryption process, the Key Group malware transfers the encrypted files to a new "container" with the extension". KEYGROUP777TG", and deletes all the original data.
Attackers use legitimate Windows binaries, so-called LOLBins, to delete shadow copies of the volume, thereby preventing system and data recovery without paying a ransom.
Moreover, the malware changes the host addresses of antivirus products running on the compromised system to prevent them from receiving fresh updates.
The Key Group decryptor developed by EclecticIQ is a regular Python script that users can run with the following command if they have Python installed on Windows:
Code:
python decryptor.py /path/to/search/directoryThe script scans the directory from which it was launched, along with all subdirectories, for files with the extension ".KEYGROUP777TG", decrypts and saves the contents with the original file name.
As mentioned above, the decryptor requires Python installed, as well as the cryptography library .
Experts recommend making a backup copy of the encrypted files before running the script, because if the process fails, it can lead to permanent damage and data loss.
The release of the decryptor by EclecticIQ specialists may encourage attackers responsible for developing the Key Group cryptographer to fix vulnerabilities in their software, which will make it difficult to decrypt future versions. However, the tool remains extremely valuable for victims affected by current versions of ransomware.
