Ransomware Developer Releases Decryption Keys

A ransomware developer has just recently leaked the decryption keys for three separate ransomware strains, all of which have caused no small amount of pain for numerous victims. The leak was made on Bleeping Computer’s forum, a platform used by many to remediate ransomware infections and discover more information about various malware families. Decryption keys were released for Maze, Egregor, and Sekhmet.

On February 8, 2022, the ransomware developer posted the following to the forum,

“Hello, It's developer. It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families.
also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat. Each archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config.
In the "OLD" folder of maze leak is keys for it's old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version.
Since it will raise too much clues and most of them will be false, it is necessary to emphasize that it is planned leak, and have no any connections to recent arrests and takedowns. M0yv source is a bonus, because there was no any major source code of resident software for years now, so here we go.
Neither of our team member will never return to this kind of activity, it was pleasant to work with you. All source code of tools ever made is wiped out.
P.S. Never forget that everything you perceive is only the dream of God. Complete your task.”

The link to the decryption keys was removed by forum moderators as it contained source code for malware used by the ransomware gang. For those requiring access to the decryptors, it is advised that you contact the moderators for access.

ransomware devs releases decryption keys The link removed by moderators was a download link that contained the Maze, Egregor, and Sekhmet decryption keys, and the source code for the “M0yv” malware used by the ransomware gang.

Each archive contains the public master encryption key and the private master decryption key associated with particular affiliates who were responsible for distributing the ransomware. In total there are 9 master decryption keys for Maze when it was not used to target corporate organizations, 30 Maze decryption keys when the ransomware was used on corporate organizations, 19 Egregor decryption keys, and 1 Sekhmet decryption key.

According to Bleeping Computer, the decryption keys have been verified by Michael Gillespie and Fabian Wosar, well-known ransomware researchers for Emisoft.

To further assist victims infected by the above-mentioned ransomware strains Emisoft has released a free decryptor that can be easily downloaded and used. It is important to note that to use the decryptor, victims will need the ransom note created during the attack as it contains the encrypted decryption key.

Why now?

Security researchers will be asking why the developer decided to leak the keys now. A quick trip down memory lane may shed some light on the recent decision to leak the decryption keys, along with recent arrests suggesting law enforcement has stepped up investigations into cybercrime.

Maze began operations in 2019 and soon became one of the best-known exponents of applying the double extortion tactic, that being the tactic of exfiltrating data before encryption to be used as leverage in placing more pressure on the victim to pay. Maze had claimed some major corporations as scalps including Canon, Xerox, and LG.

Maze’s tactics help shape how other ransomware gangs would develop their ransomware-as-a-service models to attract affiliates. However, despite their rise to prominence on November 1, 2020, the gang's admin announced their retirement. While Maze’s sun had set it was rising for Egregor as it is believed that many of Maze’s affiliates joined Egregor’s ranks when Maze operations came to an end.

The earliest detected Egregor activity dates back to October 2020. On Maze’s decline, Egregor’s rise was meteoric, with the rise being defined by a quick adoption of double-extortion and human-operated.

To further the gang's operations their ransomware-as-a-service (RaaS) business model was refined to appeal to those leaving Maze for more profitable pastures and partnered with QakBot to improve distribution.

One of Egregor’s more prominent victims was the giant book retailer Barnes and Noble. As quick as the rise of Egregor was the decline was just as fast, if not faster. In February 2021, it was announced that several Egregor affiliates had been arrested in Ukraine. This resulted in Egregor activity falling off a cliff.

Returning to why the developed chose to leak the decryption keys now, the forum post states it was a “planned leak” but it is hard not to believe law enforcement's recent success against ransomware gangs did not influence the decision.

Further, the operations that not only arrested affiliates but also seized infrastructure have forced ransomware operators to give up on the RaaS model as affiliates now present a traceable threat to operations.

Now, gangs like BlackMatter are keeping operations in-house in the hope that it makes them harder to track and investigate. The release of the decryption keys may be a symptom of changing ransomware tactics.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal