Some of the most dangerous ransomware strains now have master decryption keys

Ransomware authors are pulling the plug

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Master decryption keys for Maze, Egregor, and Sekhmetransomwarehave been published on theBleepingComputerforum, the publication has revealed.

The site shared the files containing the keys with cybersecurity researchers Michael Gillespie and Fabian Wosar of Emsisoft, who have since confirmed their authenticity.

In a blog post published by a user going by the name Topleak, it says that the leak was planned, and in no way connected to the recent arrests. Last year, alleged members of the Egregor ransomware group (previously known as Maze) were arrested in Ukraine. The names of the suspects were not released, but the law enforcement agencies did say they provided “hacking, logistical, and financial support” to the Egregor group.

Master decryption keys available

Topleak added the group will “never return to this kind of activity”, indicating that their time extorting businesses for money was done. All the source code to all of the tools used in their campaign has been wiped, as well.

“Never forget that everything you perceive is only the dream of God. Complete your task.” the post ends.

The files posted on the forum include 9 master decryption keys for the original Maze malware that targeted consumers, 30 master decryption keys for the Mazemalwarethat targeted corporations, 19 master decryption keys for Egregor, and one master decryption key for Sekhmet.

The keys are used to decrypt the encrypted keys usually found in the ransom message, following the breach.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

One of the world’s most notorious ransomware teams is shutting down>Ragnarok ransomware gang shuts down and releases decryption key>Kmart is latest retailer to suffer major ransomware attack

Among the files posted on the forum is also the source code for the M0yv ‘modular x86/64 file infector’, which Maze operators used in previous attacks.

“Also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat,” the post reads.

“M0yv source is a bonus, because there was no any major source code of resident software for years now, so here we go.”

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time