Update 12th February: An earlier version of this post incorrectly stated that the decryption tool used to unlock files existed prior to the keys being released – this has now been corrected.
If you’re unfortunate enough to be caught out by ransomware, the consequences can be devastating. You may be able to get rid of the infection, but the all-important files affected by such an attack will still be under lock and key. Without backups, which is more common than you may think, the files may be gone forever.
A tiny slice of good fortune
Occasionally, we all catch the proverbial break. Files can sometimes be recovered in the following ways:
- A ransomware author makes some sort of mistake, or their files are just simply coded badly. Researchers figure out a way to recover the decryption key, and publish it so victims can recover their files.
- Authors offer up the keys themselves. This can be for a variety of reasons. They may have generated a bit too much heat, and are looking to retreat into the shadows with the suggestion of some good deed done. Other times, they decide “party’s over” with the release of a new variant and hand out a “Get out of jail free” pass to former victims.
This is where our current story picks up.
What a maze
Back in 2019, Maze Ransomware came to light:
Initially, it grabbed victims via fake Cryptocurrency site trafficbounced to exploit kit landing pages. It also claimed to vary ransom amounts depending on if the compromised machine was a workstation, home computer, or server.
Tactics changed a little later on, with threats of exfiltrated data being published if ransom demands were not met. The group behind Maze eventually announced retirement, and infection numbers tailed off after one final flourishin August 2020. Maze affiliates quickly moved over to Egregor, which was then mired in the mud of several arrests.
Now we’re at the beginning of 2022, and there’s yet more developments in Maze land.
Someone has posted to the Bleeping Computer forums, claiming to be the developer of not only Maze, but also Egregor and Sekhmet ransomware families. The post reads as follows:
Hello, It’s developer. It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families.
also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat. Each archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config.
In the “OLD” folder of maze leak is keys for it’s old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version.
There is, once more, a claim that anyone involved is now definitely out of the Ransomware game for good. All the “source code of tools” are also supposedly gone forever.
The forum poster included a zip containing decryption keys for the ransomware, and also some source code for malware used by the Maze gang.
What’s the real reason for this farewell to arms?
Decryption tools now existfor the 3 groups mentioned, thanks to the release of the keys on the forum post. The zip file has now been removed from the forum due to the inclusion of the malware source code.
The author claims this forum post and announcement is not related to any arrest or takedown, but even so this feels more important as an announcement of leaving the malware realm to avoid trouble than being particularly helpful to victims just for the sake of it.
Are they gone for good, or will they return once more with a new set of Ransomware files? Only time will tell…