A ransomware developer has just recently leaked the decryption keys for three separate ransomware strains, all of which have caused no small amount of pain for numerous victims. The leak was made on Bleeping Computer’s forum, a platform used by many to remediate ransomware infections and discover more information about various malware families. Decryption keys were released for Maze, Egregor, and Sekhmet.
On February 8, 2022, the ransomware developer posted the following to the forum,
“Hello, It's developer. It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families.
also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat. Each archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config.
In the "OLD" folder of maze leak is keys for it's old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version.
Since it will raise too much clues and most of them will be false, it is necessary to emphasize that it is planned leak, and have no any connections to recent arrests and takedowns. M0yv source is a bonus, because there was no any major source code of resident software for years now, so here we go.
Neither of our team member will never return to this kind of activity, it was pleasant to work with you. All source code of tools ever made is wiped out.
P.S. Never forget that everything you perceive is only the dream of God. Complete your task.”
The link to the decryption keys was removed by forum moderators as it contained source code for malware used by the ransomware gang. For those requiring access to the decryptors, it is advised that you contact the moderators for access.
The link removed by moderators was a download link that contained the Maze, Egregor, and Sekhmet decryption keys, and the source code for the “M0yv” malware used by the ransomware gang.
Each archive contains the public master encryption key and the private master decryption key associated with particular affiliates who were responsible for distributing the ransomware. In total there are 9 master decryption keys for Maze when it was not used to target corporate organizations, 30 Maze decryption keys when the ransomware was used on corporate organizations, 19 Egregor decryption keys, and 1 Sekhmet decryption key.
To further assist victims infected by the above-mentioned ransomware strains Emisoft has released a free decryptor that can be easily downloaded and used. It is important to note that to use the decryptor, victims will need the ransom note created during the attack as it contains the encrypted decryption key.
Security researchers will be asking why the developer decided to leak the keys now. A quick trip down memory lane may shed some light on the recent decision to leak the decryption keys, along with recent arrests suggesting law enforcement has stepped up investigations into cybercrime.
Maze began operations in 2019 and soon became one of the best-known exponents of applying the double extortion tactic, that being the tactic of exfiltrating data before encryption to be used as leverage in placing more pressure on the victim to pay. Maze had claimed some major corporations as scalps including Canon, Xerox, and LG.
Maze’s tactics help shape how other ransomware gangs would develop their ransomware-as-a-service models to attract affiliates. However, despite their rise to prominence on November 1, 2020, the gang's admin announced their retirement. While Maze’s sun had set it was rising for Egregor as it is believed that many of Maze’s affiliates joined Egregor’s ranks when Maze operations came to an end.
The earliest detected Egregor activity dates back to October 2020. On Maze’s decline, Egregor’s rise was meteoric, with the rise being defined by a quick adoption of double-extortion and human-operated.
To further the gang's operations their ransomware-as-a-service (RaaS) business model was refined to appeal to those leaving Maze for more profitable pastures and partnered with QakBot to improve distribution.
One of Egregor’s more prominent victims was the giant book retailer Barnes and Noble. As quick as the rise of Egregor was the decline was just as fast, if not faster. In February 2021, it was announced that several Egregor affiliates had been arrested in Ukraine. This resulted in Egregor activity falling off a cliff.
Returning to why the developed chose to leak the decryption keys now, the forum post states it was a “planned leak” but it is hard not to believe law enforcement's recent success against ransomware gangs did not influence the decision.
Further, the operations that not only arrested affiliates but also seized infrastructure have forced ransomware operators to give up on the RaaS model as affiliates now present a traceable threat to operations.
Now, gangs like BlackMatter are keeping operations in-house in the hope that it makes them harder to track and investigate. The release of the decryption keys may be a symptom of changing ransomware tactics.