The Russian ransomware group Key Group, active since early 2023, is targeting global organizations with .NET malware generated using the Chaos builder to encrypt files, steal data, and demand ransom via Telegram channels.
The malware targets specific file types, encrypts their contents, and appends a random five-character extension to their filenames, effectively rendering them inaccessible until a decryption key is obtained.
Script disables system recovery by terminating specific processes that are associated with the recovery functionality, which prevents the system from being able to restore itself to a previous state in the event of a failure or attack.
The encrypted files are accompanied by a ransom note on the desktop, which includes instructions for contacting the cybercriminals to pay a ransom and obtain a decryption key. The note also specifies that certain files, listed in a “whitelist,” will not be encrypted.
Two files, “keygroup777.txt” and “PersonalID.txt.UF4TA,” have been created in the “C:\SystemID” directory. The first file likely contains a group of cryptographic keys, while the second file’s purpose is unclear due to the “.UF4TA” extension, which could indicate encryption or a specific file format.
KeyGroup ransomware attack detected, as encrypted files and ransom message (Keygroup777.txt) found, which includes a link to a potential negotiation portal.
The “Login” button leads to a page that automatically redirects to a different page. The final link in the ransom note directs to a webpage that likely contains instructions or a payment portal for the ransom demand.
Telegram handles @SpyWareSpyNet and keygroup777Rezerv1 link to a page that plays the audio track “T.A.t.i (feat. Ddeks)” from ЧИЧ, which are likely used for communication with operators on the Telegram network.
The Telegram channel linked to the @SpyWareSpyNet handle provides a platform for individuals to access contact information of various operators, likely related to espionage or surveillance activities, which serves as a hub for facilitating communication and potentially coordinating operations within this network.
In order to stop potential harm to users and their systems, the SonicWall capture labs signature GAV: Keygroup777.RSM recognizes and blocks Trojan malware that Telegram channel operators use to share victim information, contact details, and tools.