Some of the most dangerous ransomware strains now have master decryption keys

News
By Sead Fadilpašić
published

Ransomware authors are pulling the plug

Lock on Laptop Screen
(Image credit: Future)

Master decryption keys for Maze, Egregor, and Sekhmet ransomware have been published on the BleepingComputer forum, the publication has revealed.

The site shared the files containing the keys with cybersecurity researchers Michael Gillespie and Fabian Wosar of Emsisoft, who have since confirmed their authenticity.

In a blog post published by a user going by the name Topleak, it says that the leak was planned, and in no way connected to the recent arrests. Last year, alleged members of the Egregor ransomware group (previously known as Maze) were arrested in Ukraine. The names of the suspects were not released, but the law enforcement agencies did say they provided “hacking, logistical, and financial support” to the Egregor group.

Master decryption keys available

Topleak added the group will “never return to this kind of activity”, indicating that their time extorting businesses for money was done. All the source code to all of the tools used in their campaign has been wiped, as well.

“Never forget that everything you perceive is only the dream of God. Complete your task.” the post ends.

The files posted on the forum include 9 master decryption keys for the original Maze malware that targeted consumers, 30 master decryption keys for the Maze malware that targeted corporations, 19 master decryption keys for Egregor, and one master decryption key for Sekhmet.

The keys are used to decrypt the encrypted keys usually found in the ransom message, following the breach. 

Read More

> One of the world's most notorious ransomware teams is shutting down

> Ragnarok ransomware gang shuts down and releases decryption key

> Kmart is latest retailer to suffer major ransomware attack

Among the files posted on the forum is also the source code for the M0yv ‘modular x86/64 file infector’, which Maze operators used in previous attacks.

"Also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat," the post reads.

"M0yv source is a bonus, because there was no any major source code of resident software for years now, so here we go."

Via: BleepingComputer

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.