Even ransomware administrators make mistakes, and in the case of ransomware group the Key Group, a cryptographic flaw allowed a group of security researchers to develop and release a decryption tool to restore encrypted files.
But the decryptor only works for a specific version of the ransomware built around August 3, according to intel security team EclecticIQ, which spotted the malware developers' mistakes and exploited them to develop a recovery tool using Python.
It's available for free: The EclecticIQ team published a Python script on Thursday in a report on the Russian-speaking gang. Read the details down in Appendix A for the smart script.
If you are a victim of Key Group ransomware, we suggest you read the instructions carefully. If you're lucky the gang won't know the decryption tool is out and won't rewrite their malware.
"The Key Group ransomware uses AES encryption, implemented in C#, using the RijndaelManaged class, which is a symmetric encryption algorithm," says EclecticIQ researcher Arda Büyükkaya.
It encrypts victims' data using AES in CBC mode using a fixed password with a fixed salt, Büyükkaya said. So this is where the gang messed up: on the fixed password with the fixed salt. This makes it very easy to write a decryption routine for encrypted files.
"The ransomware uses the same AES static key and initialization vector (IV from initialization vector) to reverse-encrypt the victim's data and rename the encrypted files with the keygroup777tg extension," Büyükkaya said.