A decryptor has been released for the Maze, Sekhmet, and Egregor ransomware after someone published the master decryption keys in a BleepingComputer forum post. 

Recommends

• The 5 best VPN services (and tips to choose the right one for you)
• The best AI art generators: DALL-E 2 and other fun alternatives to try
• The best Android phones you can buy (including a surprise pick)
• The best robot vacuum and mop combos (and if they're worth the money)

Around 6:30 yesterday evening, someone identifying themselves as "Topleak" said, "It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families." 

"Each archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config. In the "OLD" folder of maze leak is keys for it's old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version," the user wrote. 

"Since it will raise too much clues and most of them will be false, it is necessary to emphasize that it is planned leak, and have no any connections to recent arrests and takedowns. M0yv source is a bonus, because there was no any major source code of resident software for years now, so here we go. Neither of our team member will never return to this kind of activity, it was pleasant to work with you. All source code of tools ever made is wiped out."

Cybersecurity company Emsisoft created a decryptor using the keys but victims need to have the ransom note they received. The decryptor already has more than 200 downloads. Bleeping Computer administrators removed the link because it included the source code for the 'M0yv' malware.  

Emsisoft threat analyst Brett Callow said that while Maze, Sekhmet, and Egregor are no longer active, companies typically archive any encrypted data that they were unable to recover in the hope that a decryptor will eventually become available -- which it now has. 

"The release of the keys is another sign that ransomware gangs are rattled. While the gang claims their decision had nothing to do with the recent arrests of REvil -- yeah, right. The reality is that gangs' costs and risks are both increasing. Ransomware became such an enormous problem because threat actors were able to operate with almost complete impunity," Callow told ZDNet. 

He went on to explain that there is a "stunning" enforcement gap when it comes to cybersecurity, noting that the chances of being successfully investigated and prosecuted for a cyber attack in the US are now estimated at 0.05%. 

"That's no longer the case. The ransomware problem is far from solved, but there's now far more 'risk' in the risk/reward ratio. The Biden administration's policy measures, multi-million dollar rewards, international cooperation, offensive actions and disruptions are all combining to make it harder and riskier for ransomware gangs to operate while insurers are simultaneously pushing their customers to become resilient," Callow said. 

In February 2021, members of the Egregor ransomware cartel were arrested in Ukraine after a joint investigation by French and Ukrainian police. According to France Inter, French authorities got involved in the investigation after game studio Ubisoft, logistics firm Gefco and several other major French companies were attacked by Egregor members. 

It was long suspected that Egregor, Maze, and Sekhmet were developed by the same group. Allan Liska, a ransomware expert with threat intelligence firm Recorded Future, toldZDNetin 2020 that they tracked 206 victims published to the Egregor extortion site and, before the switchover, 263 victims published to the Maze site. At the time, Liska said the two variants accounted for 34.3% of victims published to all ransomware extortion sites.

On Wednesday, Liska toldZDNetthat Maze, Egregor, and Sekhment were always tied together, each seen as a successor to the other 

He said they were notable for a number of reasons. Maze codified the idea of the ransomware extortion site, which most ransomware groups now have, Liska explained. 

"The arrests of Maze affiliates in February of 2021 really kicked off the year of ransomware arrests," Liska said.

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next