Developer releases decryption key for Maze ransomware, Egregor

The master decryption key of the Maze, Egregor and Sekhmet ransomware has just been posted by a user on the BleepingComputer forum. This person claims to be the developer of the above ransomware.

Maze started operating in May 2019 and quickly became famous for its unique type of data theft and double blackmail. Currently, many other ransomware have followed Maze's tactics to force victims to pay ransom for data.

The guys behind Maze announced their shutdown in October 2020. However, they actually renamed the ransomware to Egregor in September 2020 and continue to work. Then they were captured in Ukraine and Egregor also disappeared.

Sekhmet is also a strain of ransomware similar to Maze, but started operating in March 2020 when Maze has not declared "shelter of swords".

14 months later, the master decryption key for both Maze, Egregor and Sekhmet was posted on the BleepingComputer forum by a user named "Topleak". This person claims to be the developer of all three ransomware mentioned above.

This person said that the posting of the decryption key was planned in advance and had nothing to do with recent raids by law enforcement. Many servers and affiliates of the Maze and Egregor ransomware have been seized and destroyed.

The developer also shared that team members will no longer do ransomware. They also destroyed all the source code for their ransomware.

Developer releases decryption key for Maze ransomware, Egregor Picture 1 Developer releases decryption key for Maze ransomware, Egregor Picture 1

The BleepingComputer forum post includes a download link to a 7zip file with four subfiles that store the Maze, Egregor, Sekhmet decryption keys and the source code of the "M0yv" malware they use.

Each subdirectory contains the public master decryption key and the private master decryption key associated with the affiliates or distribution units.

Here are the number of RSA-2048 master decryption keys for each ransomware:

Maze: 9 key decryption keys for malware that originally targeted non-business users.
Maze: 30 key decryption key.
Sekhmet: 1 master decryption key.

Emsisoft's Michael Gillespie and Fabian Wosar, two security researchers, confirmed to BleepingComputer that these keys are standard and can be used to decrypt files encrypted by the three ransomware mentioned above.

Emisoft has also released a decryption software for victims of Maze, Egregor and Sekhmet ransomware infections. However, to use Emisoft's decryption software you need to have the extortion note generated during the attack because it contains the decryption key.

Good luck!