A decryption tool for a widespread ransomware variant is now available to download for free, thanks to a group of cybersecurity researchers from the Netherlands.
Experts from EclecticIQ discovered a cryptographic error in the encryptor belonging to the Key Group ransomware operator which allowed them to build a decryptor, which they then released for free.
The news means that everyone who fell victim to this specific ransomware strain can find the script, written in Python, on this link, and use it to salvage their encrypted files.
Unsophisticated threat actor
It’s worth mentioning that this decryptor doesn’t work on all versions of Key Group’s ransomware variant, but only some – built “around August 3”, the researchers said. As ransomware evolves, and new variants and versions pop up, they usually come with different encryption mechanisms, which renders these decryptors useless. This one will probably be useless soon too, once the crooks pick up on this news and tweak their code.
In any case, the researchers called the group, which seems to be of Russian origin, a “low-sophisticated threat actor.”
In recent times, ransomware operators have stopped deploying encryptors and are focusing entirely on data exfiltration. Apparently, developing, maintaining, and deploying ransomware is too expensive and too cumbersome, while the same financial results can be achieved by simply stealing data and threatening to release it to the wild. Furthermore, deploying ransomware, especially on critical infrastructure providers, is hugely disruptive and forces law enforcement to act more swiftly.
That doesn’t mean hackers will suddenly stop encrypting files. Ransomware is still one of the most popular cyberattack methods out there, with Clop, BlackBasta, LockBit, and others, causing hundreds of millions of dollars in damages, both in the private, and public sectors. Companies in the United States are most frequently attacked, according to figures from Malwarebytes.