Ransomware Developer Releases Egregor, Maze Master Decryption Keys


The master decryption keys for the Maze, Egregor and Sekhmet ransomware operations were published last night on the BleepingComputer forums by the alleged malware developer.

The Maze ransomware started operating in May 2019 and quickly rose to fame as it was responsible for using data theft and double extortion tactics now used by many ransomware operations.

After Maze announced its closure in October 2020, they were renamed in September as Egregor, which later disappeared after members were arrested in Ukraine.

Operation Sekhmet was something of an outlier when it launched in March 2020, when Maze was still active.

Published decryption master keys

Fast forward 14 months later, and the decryption keys for these Ops have now been leaked to the BleepingComputer forums by a user named “Topleak” who claims to be the developer of all three Ops.

The poster stated that it was a planned leak and was unrelated to recent law enforcement operations that led to the seizure of servers and the arrest of affiliates of ransomware.

“Since this will raise too many clues and most of them will be false, it is necessary to emphasize that this is a planned leak and has no connection to the recent arrests. and teardowns,” the alleged ransomware developer explained.

They further stated that none of their team members will ever come back to the ransomware and that they destroyed all the source code of their ransomware.

Leaked Maze, Egregor and Sekhmet decryption key forum post
Leaked Maze, Egregor and Sekhmet decryption key forum post
Source: BleepingComputer

The message includes a download link for a 7zip file with four archives containing the Maze, Egregor and Sekhmet decryption keys, as well as the source code of a “M0yv” malware used by the ransomware gang.

Archive containing leaked decryption keys
Source: BleepingComputer

Each of these archives contains the public master encryption key and the private master decryption key associated with a specific “advertisement” or affiliate of the ransomware operation.

In total, here is the number of RSA-2048 master decryption keys released per ransomware operation:

  • Labyrinth: 9 major decryption keys for the original malware that targeted non-professional users.
  • Labyrinth: 30 master decryption keys.
  • Egregore: 19 master decryption keys.
  • Sekhmet: 1 master decryption key.

from Emsisoft Michael Gillespie and Fabien Wosar has reviewed the decryption keys and confirmed to BleepingComputer that they are legitimate and can be used to decrypt files encrypted by all three ransomware families.

Gillespie told us that the keys are used to decrypt a victim’s encrypted keys that are embedded in a ransom note.

Encrypted key in Maze ransom note
Encrypted key in Maze ransom note
Source: BleepingComputer

Emsisoft released a decryptor to allow all Maze, Egregor and Sekhmet victims who were waiting to get their files back for free.

Emsisoft decryptor for Maze, Egregor and Sekhmet
Emsisoft decryptor for Maze, Egregor and Sekhmet

To use the decryptor victims will need a ransom note created during the attack as it contains the encrypted decryption key.

M0yv malware bonus source code

The archive also includes source code for the “modular x86/x64 file infector” M0yv developed by the Maze ransomware operation and used in previous attacks.

“There is also a somewhat innocuous source code of the modular x86/x64 m0yv EPO file infector detected in the wild as a Win64/Expiro virus, but it’s not actually expiro, but the AV engines detect it as that, so nothing in common with gazavat,” the ransomware developer said in the forum post.

“The M0yv source is a bonus, because there was no major resident software source code for years, so here we go,” the developer later explained.

This source code comes in the form of a Microsoft Visual Studio project and includes already compiled DLLs.

M0yv malware source code snippet
Source: BleepingComputer

The todo.txt file indicates that the source code of this malware was last updated on January 19, 2022.


Comments are closed.