As Maze retires, clients turn to Sekhmet ransomware spin-off Egregor

The ransomware’s ‘retirement’ has left a hole that Egregor operators may capitalize on.
Written by Charlie Osborne, Contributing Writer

As the developers of the Maze ransomware announce their exit from the malware scene, clients are now thought to be turning to Egregor as a substitute.

The Maze group has been a devastating force for companies that have fallen victim to the cybercriminals over the past year. 

What has separated Maze in the past from many other threat groups are practices following infection. Maze would attack a corporate resource, encrypt files or just focus on stealing proprietary data, and then demanded payment -- often reaching six figures -- in cryptocurrency. 

If extortion attempts fail, the group would then create an entry on a dedicated Dark Web portal and release the data they have stolen. Canon, LG, and Xerox are reported to be among organizations previously struck by Maze.

See also: Ransomware operators now outsource network access exploits to speed up attacks

However, on November 1, the Maze group announced its "retirement," noting that there is no "official successor" and support for the malware would end after one month. 

Malwarebytes noted a drop-off in infections since August and so say that withdrawal from the scene is "not really" an unexpected move. 

However, that doesn't mean that previous customers of Maze would also quit the market, and the researchers suspect that "many of their affiliates have moved to a new family" known as Egregor, a spin-off of Ransom.Sekhmet

According to an analysis conducted by Appgate, Egregor has been active since mid-September this year, and in this time, has been linked to alleged attacks against organizations including GEFCO and Barnes & Noble.

Egregor has also been associated with the Ransomware-as-a-Service (RaaS) model, in which customers can subscribe for access to the malware. According to sample ransom notes, once a victim has been infected and their files encrypted, operators demand that they establish contact over Tor or a dedicated website to organize payment. 

CNET: Election 2020: Your cybersecurity questions answered

Furthermore, the note threatens that if a ransom is not paid within three days, stolen data will be made public. 

Egregor uses a range of anti-obfuscation techniques and payload packing to avoid analysis. The ransomware's functionality is considered to be similar to Sekhmet. 

"In one of the execution stages, the Egregor payload can only be decrypted if the correct key is provided in the process' command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn't provided," the researchers noted. 

TechRepublic: It's an urgent plea this Election Day: Don't click on ransomware disguised as political ads

While affiliates transition to Egregor, Malwarebytes warns that this may not be the last time we see Maze as an active threat. 

"History has shown us that when a crime group decides to close its doors, it's rarely because the criminals have seen the error of their ways and it's more often due to a new, more powerful threat that the threat actors would prefer to use," the researchers note. "So, with businesses now being targeted with the next ransomware and no sign of hope for victims of the past we see no reason to be particularly happy about this."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards