10099051699?profile=RESIZE_400xIf you or your company was unfortunate enough to be caught in the web of a ransomware attack, the consequences may have been devastating.  Hopefully you got rid of the infection, but the all-important files affected by such an attack could still be under lock and key.  Without backups, which is more common than you may think, the files may be gone forever.

A tiny slice of good fortune: Occasionally, we all catch break.  Files can sometimes be recovered in the following ways[1]:

  • A ransomware author makes some sort of mistake, or their files are just simply coded badly. Researchers figure out a way to recover the decryption key, and publish it so victims can recover their files.
  • Authors offer up the keys themselves. This can be for a variety of reasons. They may have generated a bit too much heat, and are looking to retreat into the shadows with the suggestion of some good deed done. Other times, they decide “party’s over” with the release of a new variant and hand out a “Get out of jail free” pass to former victims.

What a maze !!   So, back in 2019, Maze Ransomware came to the forefront.  Initially it grabbed victims via fake Cryptocurrency site traffic and bounced it to exploit kit landing pages. It also claimed to vary ransom amounts depending on if the compromised machine was a workstation, home computer, or server.  Tactics changed a little later on, with threats of exfiltrated data being published if ransom demands were not met.  The group behind Maze eventually announced retirement, and infection numbers tailed off after one final flourish in August 2020. Maze affiliates quickly moved over to Egregor, which was then mired in the mud of several arrests.  We are now into the second month of 2022, and there is yet more developments in Maze land.

Hello, It’s developer. It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families.

also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat. Each archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config.

In the “OLD” folder of maze leak is keys for it’s old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version.

We’re finished…(again).  Someone has posted to the Bleeping Computer forums, claiming to be the developer of not only Maze, but also Egregor and Sekhmet ransomware families. The post reads as follows:

10099055055?profile=RESIZE_584xThere is, once more, a claim that anyone involved is now definitely out of the Ransomware game for good.  All the “source code of tools” are also supposedly gone forever.  The forum poster included a zip containing decryption keys for the ransomware, and also some source code for malware used by the Maze gang.

What’s the real reason for this departure?    Decryption tools now exist for the 3 groups mentioned, thanks to the release of the keys on the forum post. The zip file has now been removed from the forum due to the inclusion of the malware source code.  The author claims this forum post and announcement is not related to any arrest or takedown, but even so this feels more important as an announcement of leaving the malware realm to avoid trouble than being particularly helpful to victims just for the sake of it.  Are they gone for good, or will they return once more with a new set of Ransomware files?  Only time will tell…Red Sky does not think so.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com     

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://blog.malwarebytes.com/malwarebytes-news/2022/02/ransomware-author-releases-decryption-keys-says-goodbye-forever/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!