The first discovered sample of Key Group, the Xorist ransomware, established persistence in the system by changing file extension associations. The .huis_bn extension added to encrypted files in the early versions of Key Group samples, Xorist and Chaos, refers to a Russian-speaking closed group “huis”, known in the shadow community. The group is known for negotiating with victims on Telegram and using the Chaos ransomware builder. In February 2024, Key Group switched from Chaos to the Hakuna Matata ransomware (MD5: DA09FCF140D3AAD0390FB7FAF7260EB5). In early March 2024, we discovered a Key Group sample based on the Judge/NoCry ransomware (MD5: 56F5A95FFA6F89C24E0880C519A2AA50). In August 2023, we discovered the group using the Annabelle ransomware (MD5: 05FD0124C42461EF553B4B17D18142F9). We tracked Key Group’s activity from the start of their attacks and found that the group used not only Chaos but also other leaked ransomware builders. As we can see, Key Group, like many hacktivists, does not develop its own malware but actively uses leaked ransomware builders, and the primary C2 channel is a GitHub repository, which makes it easy to track their activities. Around the same time, a sample of the Slam ransomware (MD5: 09CE91B4F137A4CBC1496D3791C6E75B) was detected in Key Group attacks. In the summer of 2023, a new sample of Chaos from Key Group was discovered, named warnep.exe (MD5: C2E1048E1E5130E36AF297C73A83AFF6). To deliver the Chaos and Xorist ransomware to the victim’s computer, Key Group used multi-stage loaders. It downloaded another SFX archive containing a sample of the Chaos ransomware (MD5: C910DA0BAA2E08CEFCE079D1F7CB3469), as well as a separate loader that downloaded a sample of the Xorist ransomware (MD5: E0C744162654352F5E048B7339920A76). In the Chaos variant, a new extension .huis_bn was added to encrypted files, and in the ransom note, the attackers requested that victims send a message on Telegram. While studying this repository, we found the already familiar RuRansom wiper, the Hakuna Matata ransomware, as well as a sample of J-Ransomware/LoveYou and the NjRat remote access Trojan. Key Group, or keygroup777, is a financially motivated ransomware group primarily targeting Russian users. In that channel, the group published news about Key Group, updates from other channels of both technical and ideological nature, leaks from other Telegram sources, and announcements about spam raids. Throughout the year, the group used this ransomware, primarily changing only the content of the ransom note. The next Key Group samples based on Chaos were discovered in January 2023. It’s also important to note that ransomware source code is increasingly becoming publicly available, and the number of groups using leaked builders or ransomware source code is on the rise. The Telegram user Bloody-Lord Destroyer-Crew, also known as “bloody” in the shadow community, was the owner of the “huis” group. The Chaos ransomware (MD5: C910DA0BAA2E08CEFCE079D1F7CB3469) copied itself to $user\$appdata\cmd.exe and executed this file as a new process. The first public report on Key Group’s activity was released in 2023 by BI.ZONE, a cybersecurity solutions vendor: the attackers drew attention when they left an ideological note during an attack on a Russian user, in which they did not demand money. In August 2022, Key Group added the Chaos builder to its toolkit. The name of the first sample resonates with the activities of the “huis” group. Upon execution, the ransomware encoded file names using Base64 and added the .keygroup777tg extension. By analyzing the samples created with their help, we were able to find loaders and malicious URLs on GitHub that showed a connection between the group and previously unknown attackers. Around the same time as the Key Group-branded RuRansom instances, a sample of another ransomware, UX-Cryptor, was observed in the attackers’ activities. I am the owner of keygroup777 and I was enraged by the work of the telegram technical support, there is no point in paying a ransom, only the contract Pavel Durov if you want to stop it, write [redacted] and I ask you not to touch Nikita's channels, bloody and nacha will be much worse time goes by, hello from Root) and quote Durov, Everything is just beginning - knees will become your only pose. The first variants of ransomware from Key Group’s arsenal were discovered in April 2022. At that time, the group was using the source code of Xorist. The ransomware adds the .Keygroup777tg.EXE extension to the encrypted files. The sample observed in Key Group’s attacks encrypts files and includes an MBR locker (MD5: D06B72CEB10DFED5ECC736C85837F08E), as well as the following built-in evasion techniques. Previously, the group also had an open channel @[redacted], which the attackers used to communicate with victims; however, it is no longer available.
This Cyber News was published on securelist.com. Publication date: Tue, 01 Oct 2024 10:13:06 +0000