The master decryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released last night on the BleepingComputer forums by the alleged malware developer.
The Sekhmet operation was somewhat of an outlier as it launched in March 2020, while Maze was still active.
Master decryption keys released
Fast forward 14 months later, and the decryption keys for these operations have now been leaked in the BleepingComputer forums by a user named ‘Topleak’ who claims to be the developer for all three operations.
“Since it will raise too much clues and most of them will be false, it is necessary to emphasize that it is planned leak, and have no any connections to recent arrests and takedowns,” explained the alleged ransomware developer.
They further stated that none of their team members will ever return to ransomware and that they destroyed all of the source code for their ransomware.
The post includes a download link for a 7zip file with four archives containing the Maze, Egregor, and Sekhmet decryption keys, and the source code for a ‘M0yv’ malware used by the ransomware gang.
Each of these archives contains the public master encryption key and the private master decryption key associated with a specific “advert”, or affiliate of the ransomware operation.
In total, the following are the number of RSA-2048 master decryption keys released per ransomware operation:
Maze: 9 master decryption keys for the original malware that targeted non-corporate users.
Maze: 30 master decryption keys.
Egregor: 19 master decryption keys.
Sekhmet: 1 master decryption key.
Emsisoft’s Michael Gillespie and Fabian Wosar has reviewed the decryption keys and confirmed to BleepingComputer that they are legitimate and can be used to decrypt files encrypted by the three ransomware families.
Gillespie told us that the keys are used to decrypt a victim’s encrypted keys that are embedded in a ransom note.
Emsisoft has released a decryptor to allow any Maze, Egregor, and Sekhmet victims who have been waiting to recover their files for free.
To use the decryptor, victims will need ransom note created during the attack as it contains the encrypted decryption key.
Bonus M0yv malware source code
The archive also includes the source code for the M0yv ‘modular x86/x64 file infector’ developed by the Maze ransomware operation and used previously in attacks.
“Also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat,” the ransomware developer said in the forum post.
“M0yv source is a bonus, because there was no any major source code of resident software for years now, so here we go,” the developer later explained.
This source code come in the form of a Microsoft Visual Studio project and includes some already compiled DLLs.
The todo.txt file indicates the source code for this malware was last updated on January 19th, 2022.