Key Group Ransomware: A Growing Threat Using Off-the-Shelf Tools
In a recent report by Kaspersky Labs, a new ransomware group known as Key Group, or Keygroup777, has been highlighted for its use of publicly available ransomware builders. The group, which primarily targets Russian-speaking users, has been active since 2022 and leverages various ransomware toolkits, including Chaos, Xorist, and Annabelle, to execute its attacks.
Key Group has gained notoriety for its reliance on leaked ransomware builders to power its campaigns. The group’s activities were first documented in a 2023 report by BI.ZONE, which described an ideological attack on a Russian user. However, further research reveals that the group had been operational since 2022, using ransomware to extort victims by demanding Bitcoin payments through encrypted Telegram channels.
The Chaos ransomware builder was introduced to Key Group’s toolkit in August 2022, shortly after the Chaos creator announced a Ransomware-as-a-Service (RaaS) partnership. Since then, the group has continued to evolve its tactics, frequently modifying the ransom note while keeping the underlying encryption methods intact.
The evolution of Key Group’s attack methods shows a clear pattern of adaptation and opportunism. In early 2023, the group was detected using NjRat, a remote access trojan (RAT) known for its keylogging, reverse shell, and data-stealing capabilities. By the summer of 2023, the group switched to a more aggressive strategy, deploying Annabelle ransomware—named after the horror film. This ransomware not only encrypts files but also disables key security features on the victim’s system, including Windows Firewall and Windows Defender.
In late 2023, Key Group expanded its toolkit further, adding Slam ransomware, which uses the AES-CBC encryption algorithm to lock victim files. Notably, this variant tracks infected machines using the IP Logger service, making it more difficult for victims to conceal their identity.
What sets Key Group apart from other ransomware actors is the group’s ideological tone in some attacks. In one instance, the group left a ransom note without any demand for payment, instead using the attack as a platform for political messaging. The group’s use of the RuRansom wiper—a destructive malware targeting Russia—further solidifies the notion that Key Group may be driven by more than just financial motives.
In February 2024, Key Group began using the Hakuna Matata ransomware, another publicly available builder, and later switched to Judge/NoCry ransomware, which added a new layer of complexity to their attacks by employing the AES-256 encryption algorithm.
By leveraging publicly available tools, the group has been able to consistently innovate and target victims with increasing effectiveness. As ransomware continues to evolve, the security community must remain vigilant to detect and counteract these emerging threats.
