Ακόμη και οι διαχειριστές των ransomware κάνουν λάθη, και στην περίπτωση της teamς του ransomware the Key Group, ένα κρυπτογραφικό σφάλμα επέτρεψε σε μια ομάδα ερευνητών ασφάλειας να αναπτύξουν και να κυκλοφορήσουν ένα εργαλείο αποencryptionς για την επαναφορά των κωδικοποιημένων αρχείων.
But the decryptor only works for a specific version of the ransomware built around August 3, according to intel security team EclecticIQ, which spotted the malware developers' mistakes and exploited them to develop a recovery tool using Python.
It's available for free: The EclecticIQ team published a Python script on Thursday in a report on the Russian-speaking gang. Read the details down in Appendix A for the smart script.
If you are a victim of Key Group ransomware, we suggest you read the instructions carefully. If you're lucky the gang won't know the decryption tool is out and won't rewrite it malware her.
“Key Group's ransomware uses encryption aes, implemented in C#, using the RijndaelManaged class, which is a symmetric encryption algorithm,” says EclecticIQ researcher Arda Büyükkaya.
It encrypts victims' data using AES in CBC mode using a fixed password with a fixed salt, Büyükkaya said. So this is where the gang messed up: on the fixed password with the fixed salt. This makes it very easy to write a decryption routine for encrypted files.
"The ransomware uses the same AES static key and initialization vector (IV from initialization vector) to reverse-encrypt the victim's data and rename the encrypted files with the keygroup777tg extension," Büyükkaya said.