Destructive attacks by Key Wolf: how to spot the new ransomware
A new threat has been uncovered. The Key Wolf hacker group is bombarding Russian users with file‑encrypting ransomware. Interestingly enough, the attackers do not demand any ransom. Nor do they provide any options to decrypt the affected files. Our experts were the first to detect the proliferation of the new malware. In this publication, we will take a closer look at the attack and share our view on ways to mitigate it.
Key Wolf uses two malicious files with nearly identical names Информирование зарегистрированных.exe and Информирование зарегистрированных.hta (the words in Russian can be loosely translated as “Information for the registered”). The files are presumably delivered to the victims via email.
The first one is a self‑extracting archive containing two files: gUBmQx.exe and LICENSE.
The second is an archive with a download script for gUBmQx.exe. The file is downloaded from Zippyshare with the help of Background Intelligent Transfer Service (BITS).
The file contains Key Group ransomware, which is based on another malicious program, Chaos. Information about the Chaos ransomware family first emerged on a popular underground forum in June 2021. The user ryukRans wrote that he was working on a ransomware builder and even shared a GitHub link to it (figure 1).
Figure 1. Underground forum postSeveral versions of the builder were released within a year. In June 2022, a so‑called partner program was announced. It sought to attract pentesters and organize attacks on corporate networks (figure 2).
Figure 2. Underground forum post on Chaos Ransomware Builder
It is worth noting that Key Group ransomware was made with Chaos Ransomware Builder 4.0.
Once launched, Key Group performs the following:
- Checks whether there is a process with the same name as that of the malicious file. If there is, it means that the ransomware is already running, so the newly launched process will stop.
- If the
checkSleepfield istrue, and, if the launch directory is not%APPDATA%, the .exe file waits for the number of seconds specified in thesleepTextboxfield. - If
checkAdminPrivilageistrue, the malicious file copies itself into%APPDATA%and launches a new process as admin usingrunas. If the operation is declined by the user (UAC), the function restarts. If the names coincide and the program was launched from%APPDATA%, the function stops (thus, there is no infinite recursion during launch). - If
checkAdminPrivilageisfalse, but checkCopyRoaming istrue, the same process occurs as whencheckAdminPrivilageistrue, but without the escalation of privileges usingrunas. - If checkStartupFolder is
true, then a web link to a malicious file is created in%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup, which means that the file will be downloaded automatically. - If
checkAdminPrivilageistrue, then:- If
checkdeleteShadowCopiesis enabled, the function deletes shadow copies using vssadmindelete shadows /all /quiet & wmic shadowcopy delete. - If
checkDisableRecoveryModeis enabled, the function turns off the recovery mode usingbcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no. - If
checkdeleteBackupCatalogis enabled, the function deletes all backup copies usingwbadmin delete catalog -quiet.
- If
- If
checkSpreadistrue, the malware copies itself to all disks except C. Its file name is set up in thespreadNameconfiguration (in this case,surprise.exe). - Creates a note in
%APPDATA%\\\<droppedMessageTextbox\>and opens it. The note contains the following text: We are the keygroup777 ransomware we decided to help Ukraine destroy Russian computers, you can help us and transfer money to a bitcoin wallet <redacted>. - Installs the image shown below (figure 3) as the desktop theme.
Figure 3. Desktop theme
- Encrypts each disk (except disk C) and the following folders recursively:
%USERPROFILE%\\Desktop%USERPROFILE%\\Links%USERPROFILE%\\Contacts%USERPROFILE%\\Desktop%USERPROFILE%\\Documents%USERPROFILE%\\Downloads%USERPROFILE%\\Pictures%USERPROFILE%\\Music%USERPROFILE%\\OneDrive%USERPROFILE%\\Saved Games%USERPROFILE%\\Favourites%USERPROFILE%\\Searches%USERPROFILE%\\Videos%APPDATA%%PUBLIC%\\Documents%PUBLIC%\\Pictures%PUBLIC%\\Music%PUBLIC%\\Videos%PUBLIC%\\Desktop
The malware will check each file in the directory whether it has one of the correct extensions and whether it is a note. The following process then depends on the file size:
- If the file is under 2,117,152 bytes, it is encrypted with
AES256‑CBC. The key and IV are generated with the help ofRfc2898DeriveByteswith a password and salt[1, 2, 3, 4, 5, 6, 7, 8]. The password is 20 bytes in size. It has the character setabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/, and is generated with the help of the standard functionRandom(). After encryption, the password is written to the file under the XML tag<EncryptedKey>, which is encrypted byRSA1024‑OAEPand encoded in Base64, then comes the encrypted file itself, encoded in Base64. - If the file is 2,117,152 bytes or more, but less than or equal to 200,000,000 bytes, the number of random bytes generated and added to the file equals one‑fourth of the file’s original size. The bytes are added in the same format as in the case described above. The file contains a random encrypted password and is theoretically unrecoverable.
- When the file size exceeds 200,000,000 bytes, a random number of bytes between 200,000,000 and 300,000,000 is added to the file in the same format as in the first case. The file contains a random encrypted password and is theoretically unrecoverable.
If the directory contains subdirectories, the malware will perform the same operation for each of them.
The program also has an additional functionality: it checks if there is a bitcoin address in the clipboard and substitutes it with one belonging to the attackers.
The indicators of compromise and detection rules are available to BI.ZONE Threat Intelligence clients.
The ransomware usually targets its victims through email attachments. One way to prevent a ransomware attack is to use a specialized solution that will stop a malicious message from ever reaching the inbox.
Among these solutions is BI.ZONE CESP. By inspecting every single incoming message, it helps companies avoid illegitimate messages without slowing down the exchange of secure emails. BI.ZONE CESP uses more than 600 filtering rules based on machine learning and methods of statistical, signature, and heuristic analysis.