[German]Security vendor Emsisoft has released a decryptor for victims of the Maze, Egregor and Sekhmet ransomware. With it, files encrypted by this ransomware can be restored. The decryptor became possible after a member from the "developer circles" posted the master key and announced the exit of the ransomware groups. Here is some information about it.
Maze, Egregor and Sekhmet are ransomware groups whose malware found numerous victims and encrypted their hard drives. In the case of Maze ransomware, the first known cases are from May 2019. The group quickly shifted to ransomware, once offering decryption but also threatening to release previously captured data. After the group announced Maze would disband in October 2020, they renamed themselves Egregor in September. The group later disappeared after members were arrested in Ukraine (Egregor ransomware gang members arrested). The ransomware's developers now appear to have retired.
Developer publishes master key
I was aware of the information that the keys for Maze, Egregor, and Sekhmet ransomware families were released from the following tweet dated February 9, 2022. The Twitter user mentions that this is a planned leak, because the developer in question also announced in an underground forum that none of the team wants to be active in cybercrime again – so it is the announcement that the team is disbanding and retiring.
In addition, the Maze developer shared the source code for the M0yv "modular x86/x64 file infector", which is detected as a Win64/Expiro virus in the wild. The todo file shows that the last update was on January 19, 2022. However, I still withheld the information because it was unclear whether the keys were genuine. Also, according to Lawrence Abrams of Bleeping Computer, the post was temporarily hidden on the underground forum because it contained malware (probably the file infector). But the keys must have been real.
Emsisoft releases Decryptor
A short time later, security vendor Emsisoft released a decryptor for the three ransomware families Maze, Egregor and Sekhmet and announced it in the following tweet. Information about the decryptor, its download and the ransomware can be found here.
This allows victims of these ransomware families to attempt to decrypt copies of the encrypted files without paying a ransom. A PDF guide on how to use Decrptor can be found here. Bleeping Computer colleagues followed the whole thing on Twitter right after the above announcements and eventually published this article with more details.
Egregor ransomware infection at Randstad
Egregor ransomware gang members arrested
Ransomware infection at LG, data exfiltrated?
Cookies helps to fund this blog: Cookie settings