Key Group: another ransomware group using leaked builders
Key Group, or keygroup777, is a financially motivated ransomware group primarily targeting Russian users. The group is known for negotiating with victims on Telegram and using the Chaos ransomware builder. The first public report on Key Group’s activity was released in 2023 by BI.ZONE, a cybersecurity solutions vendor: the attackers drew attention when they left an ideological note during an attack on a Russian user, in which they did not demand money. However, according to our telemetry, the group was also active in 2022. Both before and after the attack covered in the BI.ZONE report, the attackers demanded that money be transferred to a Bitcoin wallet. We tracked Key Group’s activity from the start of their attacks and found that the group used not only Chaos but also other leaked ransomware builders. By analyzing the samples created with their help, we were able to find loaders and malicious URLs on GitHub that showed a connection between the group and previously unknown attackers. Timeline of Key Group’s activity The first variants of ransomware from Key Group’s arsenal were discovered in April 2022. At that time, the group was using the source code of Xorist. In August 2022, Key Group added the Chaos builder to its toolkit. Notably, on June 30, 2022, the creator of Chaos announced the launch of a RaaS (Ransomware-as-a-Service) partnership program. In the Chaos variant, a new extension .huis_bn was added to encrypted files, and in the ransom note, the attackers requested that victims send a message on Telegram. This note contained information in both Russian and English and went under the title “HOW TO DECRYPT FILES”: Attention! All your files are encrypted! To restore your files and access them, send an SMS with the text C32d4 to the User Telegram @[redacted] You have 1 attempts to enter the code. If this amount is exceeded, all data will irreversibly deteriorate. Be careful when entering the code! Glory @huis_bn Ваши файлы зашифрованы! Чтобы восстановить свои
Key Group: another ransomware group using leaked builders