{
  "name": "Key Group: another ransomware group using leaked builders",
  "slug": "key-group-another-ransomware-group-using-leaked-builders",
  "description": "Key Group is a financially motivated ransomware group primarily targeting Russian users. They use various leaked ransomware builders including Chaos, Xorist, Annabelle, Slam, RuRansom, UX-Cryptor, Hakuna Matata, and Judge/NoCry. The group's activity has been tracked since April 2022, with their tactics evolving over time. They deliver malware through multi-stage loaders, often using GitHub repositories for distribution. Key Group employs various persistence methods and primarily communicates with victims via Telegram. The group is suspected to be a subsidiary project of the Russian-speaking 'huis' group, known for spam raids on Telegram channels.",
  "published": "2024-10-01T17:48:20+00:00",
  "created_at": "2024-10-01T17:48:20+00:00",
  "modified_at": "2024-10-01T18:53:46+00:00",
  "created_at_opencti": "2024-10-01T17:48:20+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-10-01",
    "annabelle",
    "chaos",
    "financially-motivated",
    "github",
    "hakuna matata",
    "judge/nocry",
    "leaked builders",
    "multi-stage loaders",
    "njrat",
    "persistence",
    "ransomware",
    "ruransom",
    "russian-speaking",
    "slam",
    "telegram",
    "ux-cryptor",
    "wiper",
    "xorist"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:820f02f5beebca54",
        "name": "Hakuna Matata",
        "slug": "hakuna-matata"
      },
      {
        "id": "legacy:malware:9101420e554e45fc",
        "name": "Judge/NoCry",
        "slug": "judgenocry"
      },
      {
        "id": "legacy:malware:9b87394700c7a120",
        "name": "UX-Cryptor",
        "slug": "ux-cryptor"
      },
      {
        "id": "legacy:malware:f9a9e25d4d912e8c",
        "name": "RuRansom",
        "slug": "ruransom"
      },
      {
        "id": "7c68068c-f51e-43a2-98df-2cf946e6c074",
        "name": "Slam",
        "slug": "slam"
      },
      {
        "id": "legacy:malware:e41ee565a355c0cf",
        "name": "Annabelle",
        "slug": "annabelle"
      },
      {
        "id": "c95210fe-62a8-47e6-af77-5409c8649aef",
        "name": "Xorist",
        "slug": "xorist"
      },
      {
        "id": "legacy:malware:75a34f27d954a5d6",
        "name": "Chaos - S0220",
        "slug": "chaos-s0220"
      },
      {
        "id": "50b0256e-3b81-4f32-b915-979cc893dc27",
        "name": "LV",
        "slug": "lv"
      },
      {
        "id": "legacy:malware:0a3ffd661bac67a8",
        "name": "Bladabindi",
        "slug": "bladabindi"
      },
      {
        "id": "legacy:malware:2066823fa37e1028",
        "name": "Njw0rm",
        "slug": "njw0rm"
      },
      {
        "id": "a88cf653-3ec6-40f9-84a8-ec05b54b1099",
        "name": "njRAT - S0385",
        "slug": "njrat-s0385"
      }
    ],
    "intrusion_sets": [
      {
        "id": "0928620a-570e-408b-a54d-29186041f156",
        "name": "Key Group",
        "slug": "key-group"
      }
    ],
    "attack_patterns": [
      {
        "id": "27ae8e84-820b-4a38-aa82-c836a7c1402f",
        "name": "T1561.002"
      },
      {
        "id": "7e5fbc10-b908-4ce8-8ba8-9fd70790c6ae",
        "name": "T1562.004"
      },
      {
        "id": "4bbdf41c-817c-448a-9513-aaea6bfbe8b4",
        "name": "T1568"
      },
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f",
        "name": "T1490"
      },
      {
        "id": "5882a135-5b7e-4caf-93e8-80f7df41cef2",
        "name": "T1564.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "d9f271ed-7685-4362-b90d-f16a14102f39",
        "name": "T1489"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Russian Federation"
      }
    ]
  },
  "external_refs": [
    "https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/",
    "https://otx.alienvault.com/pulse/66fc5204f623a76e870d044d"
  ]
}