Key Group Russian Ransomware Gang Uses Extensive Multi-purpose Telegram Channel

By

The SonicWall Capture Labs threat research team has been recently tracking ransomware known as Key Group. Key Group is a Russian-based malware threat group that was formed in early 2023.  They have reportedly attacked various organizations around the world by encrypting files and exfiltrating data before using Telegram channels to negotiate ransom payments.  The malware is written in .NET and is created using the Chaos ransomware builder.

Infection Cycle

Upon infection, files on the system are encrypted and each file name is given an extension consisting of five random alphanumeric characters.

Disassembling the file reveals a list of targeted file types:

Figure 1: Targeted files

We can also see a list of processes which will be killed if running:

Figure 2: Targeted processes to kill

It disables system recovery:

Figure 3: Disables system recovery

It contains a whitelist of files to ignore:

Figure 4: Whitelisted files

After encrypting files, the following message is displayed on the desktop background:

Figure 5: Desktop message

The following files are written to the filesystem:

C:\SystemID\keygroup777.txt

C:\SystemID\PersonalID.txt.UF4TA

keygroup777.inf does not exist, but Keygroup777.txt does.  It contains the following ransom message:

Figure 6: Ransom note

The first Github.io link leads to the following page:

Figure 7: First Github link

The “Login” button leads to the following page:

Figure 8: After “Log in”

It automatically redirects to the following page:

Figure 9: Redirected page

The last link in the ransom note leads to the following webpage:

Figure 10: Key Group ransom page

Figure 11: The ransom page continued

@SpyWareSpyNet and keygroup777Rezerv1 are handles for communicating with operators on the Telegram online chat network.

The two buttons lead to the following pages:

Figure 12: “About yourself” button

Figure 13: “Satana” button

The page above plays an audio track called T.A.t.i (feat. Ddeks) from ЧИЧ

The @SpyWareSpyNet Telegram handle leads to the following channel.  It contains links that eventually lead to the contact information of various operators:

Figure 14: Telegram channel for operator communication

Figure 15: Operator contact information

The Telegram channels are also used by many operators to share information on victims, contact information, tools and more.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Keygroup777.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.