The shackles have been broken for victims of Maze/Egregor/Sekhmet ransomware: On Wednesday, decryption keys were released for all three ransomware strains in a forum post.
The liberator, using the handle “Topleak,” described themselves as the developer of the three ransomwares.
It’s been lovely, but now it’s time to say bye-bye, Topleak said: “Neither of our team member will never return to this kind of activity, it was pleasant to work with you. All source code of tools ever made is wiped out.”
Translation: Maze team members are purportedly never going back to ransomware, and they’ve destroyed all of their ransomware source code. In the post, Topleak included a .ZIP file containing decryption keys for the ransomware, along with some of the Maze gang’s malware source code. The .ZIP file was subsequently removed from the post, due to the fact that it included that source code.
The original keys aren’t necessary, though: After confirming that those decryption keys are legitimate, Emsisoft released a decryptor that will enable any Maze, Egregor and Sekhmet victims to recover their files for free.
Innovators of the Double Whammy
Maze, once considered one of the most active ransomware gangs out there, was a pioneer in the dark art of double extortion: i.e., not only snarling a target’s files in a ransomware attack, but also threatening to make the encrypted data publicly available if the victim doesn’t pay up.
The gang first bubbled up in November 2019, going on to score big hits against the likes of Cognizant and Xerox.
Then, in summer 2020, Maze formed a cybercrime cartel, joining forces with various ransomware strains, including Egregor, to share code, ideas and resources.
Some experts considered Egregor to be a reincarnation of Maze. For its part, Appgate judged Egregor’s code to be a spinoff of the Sekhmet ransomware – a link that was also noted by other researchers.
Maze announced it was shutting down in November 2020, posting a self-righteous screed in which it explained that the “project” had been set up because the world is “sinking into recklessness and indifference, in laziness and stupidity.”
Its year-long cybercrime spree was all about demonstrating their targeted organizations’ lax cybersecurity hygiene, according to its press release – as if a ransomware attack is the cyber-equivalent of, say, a colon cleanse.
Maze: We’re For Reals
It’s not uncommon for cyber-gangs to announce their retirement and then yo-yo back into business, turning up for other cybercrime projects.
One example is GandCrab, the ransomware-as-a-service (RaaS) outfit that announced in June 2019 that it was going to kick back and enjoy the $2 billion it had made in a year-long feeding frenzy…only to jump out of its rocking chair a few months later, with code analysis linking the authors to REvil/Sodinokibi ransomware.
Another example is BlackMatter, considered a rebirth of at least some of the lower-level REvil and BackMatter players, which announced it would shut down – again – in November following pressure from local authorities. DarkSide’s shutdown, coming a few weeks after the RaaS gang crippled Colonial Pipeline Co., also happened after it got raided by authorities..
The Maze gang could follow the same path, turning their supposed retirement into an opportunity to move on to new projects. Topleak addressed the haziness and chatter that typically surround “going out of business” announcements, writing in their announcement that the gang isn’t being forced out of the ransomware business:
“Since it will raise too much clues and most of them will be false, it is necessary to emphasize that it is planned leak, and have no any connections to recent arrests and takedowns,” Topleak said.
Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping Secrets” focused on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.