The shackles have been broken for victims of Maze/Egregor/Sekhmet ransomware: On Wednesday, decryption keys were released for all three ransomware strains in a BleepingComputer forum post.
The liberator, using the handle “Topleak,” described themselves as the developer of the three ransomwares.
It’s been lovely, but now it’s time to say bye-bye, Topleak said, in the mangled English-ese that’s typified the ransomware-as-a-service (RaaS) gang’s communications over the past few years. “Neither of our team member will never return to this kind of activity, it was pleasant to work with you. All source code of tools ever made is wiped out.”
Translation: Maze team members are purportedly never going back to ransomware, and they’ve destroyed all of their ransomware source code. In the post, Topleak included a zip file containing decryption keys for the ransomware, along with some of the Maze gang’s malware source code.
The zip file was subsequently removed from the post, due to the fact that it included the malware source code.
The keys aren’t necessary, though: After confirming that the decryption keys are legitimate, Emsisoft released a decryptor that will enable any Maze, Egregor and Sekhmet victims to recover their files for free.
Innovators of the Double Whammy
Maze, once considered one of the most active ransomware gangs out there, was a pioneer in the dark art of double extortion: i.e., not only snarling a target’s files in a ransomware attack, but also threatening to make the encrypted data publicly available if the victim doesn’t pay up.
The gang first bubbled up in November 2019, going on to score big hits against the likes of Cognizant and Xerox.
Then, in summer 2020, Maze formed a cybercrime cartel, joining forces with various ransomware strains, including Egregor, to share code, ideas and resources.
Some experts considered Egregor to be a reincarnation of Maze. For its part, Appgate judged Egregor’s code to be a spinoff of the Sekhmet ransomware – a link that was also noted by other researchers.
Maze announced it was shutting down in November 2020, posting a self-righteous screed in which it explained that the “project” had been set up because the world is “sinking into recklessness and indifference, in laziness and stupidity.”
Its year-long cybercrime spree was all about demonstrating their targeted organizations’ lax cybersecurity hygiene, according to its press release – as if a ransomware attack is the cyber equivalent of, say, a colon cleanse.
Maze: We’re For Reals
It’s not uncommon for cyber gangs to announce their retirement and then yo-yo back into business, turning up for other cybercrime projects.
One example is GandCrab, the ransomware-as-a-service (RaaS) outfit that announced in June 2019 that it was going to kick back and enjoy the $2 billion it had made in a year-long feeding frenzy. … Only to jump out of its rocking chair a few months later, with code analysis linking the authors to REvil/Sodinokibi ransomware.
Another example is BlackMatter, considered a rebirth of at least some of the lower-level REvil players, which announced it would shut down – again – in November following pressure from local authorities. DarkSide’s shutdown, coming a few weeks after the RaaS gang crippled Colonial Pipeline Co., also happened after it got raided by authorities..
The Maze gang could follow the same path, turning their supposed retirement into an opportunity to move on to new projects. Topleak addressed the haziness and chatter that typically surround “going out of business” announcements, writing in their BleepingComputer announcement that the gang isn’t being forced out of the ransomware business: “Since it will raise too much clues and most of them will be false, it is necessary to emphasize that it is planned leak, and have no any connections to recent arrests and takedowns,” Topleak said.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.