Maze, Egregor and Sekhmet ransomware decryption keys published

A decryptor has been released for the Maze, Egregor and Sekhmet ransomware families in yet another sign that cybercriminals are rattled by recent law enforcement action.

Maze was once considered one of the most active and notorious data-stealing ransomware groups. The gang, which began operating in May 2019, gained infamy for introducing the double-extortion model, in which hackers first exfiltrate a victim’s data and threaten to publish the stolen files unless the ransom was paid. Typical ransomware groups infect a victim with file-encrypting malware and hold the files in exchange for cryptocurrency.

The group, which announced that it was shutting down in November 2020, claimed a number of high-profile victims, including Cognizant, Xerox, LG and Canon.

Egregor emerged in September 2020 as the Maze operation began shutting down and employed the same double-extortion technique as its predecessor. Despite claiming a number of victims — including Ubisoft, Barnes & Noble, Kmart and Vancouver’s subway system — the operation was short-lived, as several members of Egregor were arrested in Ukraine in February 2021.

Sekhmet, which launched in March 2020, shares a number of similarities with Maze and Egregor. Although it emerged before the latter, cybersecurity researchers have observed similar tactics, obfuscation, API calls and ransom notes between the two.

On Wednesday, someone identifying themselves as “Topleak,” who claims to be the developer for all three operations, released decryption keys for all three ransomware families in a Bleeping Computer forum post.

“Since it will raise too much clues and most of them will be false, it is necessary to emphasize that it is planned leak, and have no any connections to recent arrests and takedowns,” Topleak said, adding that none of their team members will ever return to ransomware and that they destroyed all of the source code for their ransomware.

Emsisoft, which confirmed that the decryption keys are legitimate, has released a decryptor to allow any Maze, Egregor and Sekhmet victims to recover their files for free.

Emsisoft ransomware expert and threat analyst Brett Callow told TechCrunch that the release of the decryption keys is another sign that cybercriminals are rattled.

“While the gang claims their decision to release the keys has nothing to do with the recent arrests of REvil — yeah, right. The reality is that their costs and risks are both increasing,” said Callow. “Ransomware became such a big problem because cybercriminals were able to operate with almost complete impunity. That’s no longer the case. While the problem is far from solved, there’s now far more ‘risk’ in the risk/reward ratio.”