Decryptor released for Maze, Egregor, and Sekhmet ransomware strains

Someone connected to the ransomware group released decryption keys in a BleepingComputer forum.
Written by Jonathan Greig, Contributor

A decryptor has been released for the Maze, Sekhmet, and Egregor ransomware after someone published the master decryption keys in a BleepingComputer forum post

Around 6:30 yesterday evening, someone identifying themselves as "Topleak" said, "It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families." 

"Each archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config. In the "OLD" folder of maze leak is keys for it's old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version," the user wrote. 

"Since it will raise too much clues and most of them will be false, it is necessary to emphasize that it is planned leak, and have no any connections to recent arrests and takedowns. M0yv source is a bonus, because there was no any major source code of resident software for years now, so here we go. Neither of our team member will never return to this kind of activity, it was pleasant to work with you. All source code of tools ever made is wiped out."

Cybersecurity company Emsisoft created a decryptor using the keys but victims need to have the ransom note they received. The decryptor already has more than 200 downloads. Bleeping Computer administrators removed the link because it included the source code for the 'M0yv' malware.  

Emsisoft threat analyst Brett Callow said that while Maze, Sekhmet, and Egregor are no longer active, companies typically archive any encrypted data that they were unable to recover in the hope that a decryptor will eventually become available -- which it now has. 

"The release of the keys is another sign that ransomware gangs are rattled. While the gang claims their decision had nothing to do with the recent arrests of REvil -- yeah, right. The reality is that gangs' costs and risks are both increasing. Ransomware became such an enormous problem because threat actors were able to operate with almost complete impunity," Callow told ZDNet. 

He went on to explain that there is a "stunning" enforcement gap when it comes to cybersecurity, noting that the chances of being successfully investigated and prosecuted for a cyber attack in the US are now estimated at 0.05%

"That's no longer the case. The ransomware problem is far from solved, but there's now far more 'risk' in the risk/reward ratio. The Biden administration's policy measures, multi-million dollar rewards, international cooperation, offensive actions and disruptions are all combining to make it harder and riskier for ransomware gangs to operate while insurers are simultaneously pushing their customers to become resilient," Callow said. 

In February 2021, members of the Egregor ransomware cartel were arrested in Ukraine after a joint investigation by French and Ukrainian police. According to France Inter, French authorities got involved in the investigation after game studio Ubisoft, logistics firm Gefco and several other major French companies were attacked by Egregor members. 

It was long suspected that Egregor, Maze, and Sekhmet were developed by the same group. Allan Liska, a ransomware expert with threat intelligence firm Recorded Future, told ZDNet in 2020 that they tracked 206 victims published to the Egregor extortion site and, before the switchover, 263 victims published to the Maze site. At the time, Liska said the two variants accounted for 34.3% of victims published to all ransomware extortion sites.

On Wednesday, Liska told ZDNet that Maze, Egregor, and Sekhment were always tied together, each seen as a successor to the other 

He said they were notable for a number of reasons. Maze codified the idea of the ransomware extortion site, which most ransomware groups now have, Liska explained. 

"The arrests of Maze affiliates in February of 2021 really kicked off the year of ransomware arrests," Liska said.

Editorial standards