BI.ZONE detects destructive attacks by the Key Wolf group

A new threat has been uncovered. The Key Wolf hacker group is bombarding Russian users with file-encrypting ransomware. Interestingly enough, the attackers do not demand any ransom. Nor do they provide any options to decrypt the affected files. Our experts were the first to detect the proliferation of the new malware. In this publication, we will take a closer look at the attack and share our view on ways to mitigate it.

Key Wolf uses two malicious files with nearly identical names Информирование зарегистрированных.exe and Информирование зарегистрированных.hta (the words in Russian can be loosely translated as “Information for the registered”). The files are presumably delivered to the victims via email.

The first one is a self-extracting archive containing two files: gUBmQx.exe and LICENSE.

The second is an archive with a download script for gUBmQx.exe. The file is downloaded from Zippyshare with the help of Background Intelligent Transfer Service (BITS).

The file contains Key Group ransomware, which is based on another malicious program, Chaos. Information about the Chaos ransomware family first emerged on a popular underground forum in June 2021. The user ryukRans wrote that he was working on a ransomware builder and even shared a GitHub link to it (figure 1).

Figure 1. Underground forum post on Chaos Ransomware Builder*

*(translated from Russian) Wanna share the ransomware I’ve been working on lately. What do you think? What feature would you like this ransomware to have?

Download link: https://github.com/Hetropo/ryuk-ransomware
try it out on a virtual machine

Several versions of the builder were released within a year. In June 2022, a so-called partner program was announced. It sought to attract pentesters and organize attacks on corporate networks (figure 2).

Figure 2. Underground forum post on Chaos Ransomware Builder

It is worth noting that Key Group ransomware was made with Chaos Ransomware Builder 4.0.

Ransomware mechanics

Once launched, Key Group performs the following:

• Checks whether there is a process with the same name as that of the malicious file. If there is, it means that the ransomware is already running, so the newly launched process will stop.
• If the checkSleep field is true, and, if the launch directory is not %APPDATA%, the .exe file waits for the number of seconds specified in the sleepTextbox field.
• If checkAdminPrivilage is true, the malicious file copies itself into %APPDATA% and launches a new process as admin using runas. If the operation is declined by the user (UAC), the function restarts. If the names coincide and the program was launched from %APPDATA%, the function stops (thus, there is no infinite recursion during launch).
• If checkAdminPrivilage is false, but checkCopyRoaming is true, the same process occurs as when checkAdminPrivilage is true, but without the escalation of privileges using runas.
• If checkStartupFolder is true, then a web link to a malicious file is created in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup, which means that the file will be downloaded automatically.
• If checkAdminPrivilage is true, then:
• If checkdeleteShadowCopies is enabled, the function deletes shadow copies using vssadmin delete shadows /all /quiet & wmic shadowcopy delete.
• If checkDisableRecoveryMode is enabled, the function turns off the recovery mode using bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no.
• If checkdeleteBackupCatalog is enabled, the function deletes all backup copies using wbadmin delete catalog -quiet.
• If checkSpread is true, the malware copies itself to all disks except C. Its file name is set up in the spreadName configuration (in this case, surprise.exe).
• Creates a note in %APPDATA%\\\<droppedMessageTextbox\> and opens it. The note contains the following text:
  We are the keygroup777 ransomware we decided to help Ukraine destroy Russian computers, you can help us and transfer money to a bitcoin wallet <redacted>.
• Installs the image shown below (figure 3) as the desktop theme.

Figure 3. Desktop theme

• Encrypts each disk (except disk C) and the following folders recursively:
• %USERPROFILE%\\Desktop
• %USERPROFILE%\\Links
• %USERPROFILE%\\Contacts
• %USERPROFILE%\\Desktop
• %USERPROFILE%\\Documents
• %USERPROFILE%\\Downloads
• %USERPROFILE%\\Pictures
• %USERPROFILE%\\Music
• %USERPROFILE%\\OneDrive
• %USERPROFILE%\\Saved Games
• %USERPROFILE%\\Favourites
• %USERPROFILE%\\Searches
• %USERPROFILE%\\Videos
• %APPDATA%
• %PUBLIC%\\Documents
• %PUBLIC%\\Pictures
• %PUBLIC%\\Music
• %PUBLIC%\\Videos
• %PUBLIC%\\Desktop

The malware will check each file in the directory whether it has one of the correct extensions and whether it is a note. The following process then depends on the file size:

• If the file is under 2,117,152 bytes, it is encrypted with AES256-CBC. The key and IV are generated with the help of Rfc2898DeriveBytes with a password and salt [1, 2, 3, 4, 5, 6, 7, 8]. The password is 20 bytes in size. It has the character set abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/, and is generated with the help of the standard function Random(). After encryption, the password is written to the file under the XML tag <EncryptedKey>, which is encrypted by RSA1024-OAEP and encoded in Base64, then comes the encrypted file itself, encoded in Base64.
• If the file is 2,117,152 bytes or more, but less than or equal to 200,000,000 bytes, the number of random bytes generated and added to the file equals one-fourth of the file’s original size. The bytes are added in the same format as in the case described above. The file contains a random encrypted password and is theoretically unrecoverable.
• When the file size exceeds 200,000,000 bytes, a random number of bytes between 200,000,000 and 300,000,000 is added to the file in the same format as in the first case. The file contains a random encrypted password and is theoretically unrecoverable.

If the directory contains subdirectories, the malware will perform the same operation for each of them.

The program also has an additional functionality: it checks if there is a bitcoin address in the clipboard and substitutes it with one belonging to the attackers.

The indicators of compromise and detection rules are available to BI.ZONE ThreatVision clients.

Protecting against Key Wolf

The ransomware usually targets its victims through email attachments. One way to prevent a ransomware attack is to use a specialized solution that will stop a malicious message from being delivered to the inbox.

Among these solutions is BI.ZONE CESP. By inspecting every single incoming message, it helps companies avoid illegitimate messages without slowing down the exchange of secure emails. The service relies on over 600 filtering rules based on machine learning and methods of statistical, signature, and heuristic analysis.