Euro Security Watch with Mathew J. Schwartz

Business Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service

Decryption Keys Released for 3 Defunct Ransomware Strains

Are Attackers Running Scared? Maze, Sekhmet and Egregor Victims Get Free Decryptors
Decryption Keys Released for 3 Defunct Ransomware Strains
Emsisoft has released a free decryptor for files crypto-locked by Maze, Sekhmet or Egregor ransomware.

Are ransomware-wielding criminals running scared?

See Also: Identity Security Clinic

That's one explanation for the sudden appearance this week of free decryption keys for three different strains of formerly prevalent ransomware: Maze, Sekhmet and Egregor.

The master ransomware keys - 39 for Maze, 19 for Egregor and one for Sekhmet - were released Tuesday night to the forums of Bleeping Computer by the malware's alleged developer.

Security firm Emsisoft has verified that the master decryption keys work and has released a free decryptor. To use it, Bleeping Computer reports, a victim must possess a ransom note for the infection, which includes an encrypted decryption key, which Emsisoft's tool will decrypt, allowing victims to decrypt their files.

The release of the master keys by someone apparently tied to the groups means that any organization whose files were locked using any of those strains of crypto-locking malware can now decrypt their files for free.

"Companies typically archive any encrypted data that they were unable to recover in the hope that a decryptor will eventually become available - which it now has," says Brett Callow, a threat analyst at Emsisoft.

"If victims still have the original encrypted files on a disk available, they can now get their data back," says John Fokker, head of cyber investigations and principal engineer at security vendor Trellix. "Even though this will probably not make a huge difference for business continuity, it might help with getting back important historical records, for example, for tax or insurance purposes."

Timeline: Maze to Egregor

To be clear, none of the three ransomware strains have been tied to any recent attacks. Based in part on code reuse, security experts have long suspected that all three groups were connected, with each serving as a replacement for the previous version, while also overlapping:

  • Maze: Active from May 2019 to November 2020;
  • Sekhmet: Active beginning in March 2020, with an unclear end date;
  • Egregor: Active from September 2020 to February 2021, when individuals suspected of providing hacking, logistical and financial support to the operation were arrested after an investigation by French and Ukrainian police.

Why did the operation appear to end with the February 2021 arrests, if those suspects were allegedly not the core operators or administrators? "It is very well possible that due to the arrests and takedown, the remaining individuals behind Maze/Egregor had a change of heart," Fokker tells me.

The identities of the suspects who were arrested still haven't been made public. "But given the fact that is has been very quiet and they have now publicly released the decryption keys, it is safe to say that the arrests had the desired effect," he says.

Massive Damage and Disruption

While the release of master decryption keys for all three strains is good news, it doesn't repair the extensive damage and disruption tied to all three types of malware. While active, Maze and Egregor were among the most-seen ransomware infections, backed by the greediest demands.

In 2020, for example, Maze-wielding attackers regularly demanded ransoms worth $1 million to $2 million. That year, Maze - and Conti - were the most commonly seen strains of ransomware used to infect healthcare sector organizations.

Constant Innovation

The group behind the ransomware strains also introduced innovative new business practices, to victims' detriment. Maze-wielding attackers notably pioneered the double-extortion tactic of stealing data as part of every attack and threatening to release the data unless a victim paid.

Many ransomware experts suspected that strategy might backfire. Unfortunately, the opposite happened: The tactic led to more victims paying a ransom, and with attackers targeting relatively larger organizations, the average ransom amount they could demand also surged.

Soon, numerous ransomware operations copied Maze's move and began stealing data or claiming to have stolen data. The model continues today, with many attackers maintaining dedicated data leak sites. For any victim that doesn't pay, attackers will first try to name and shame the victim by listing them on the site and will then begin releasing samples of stolen data. If a victim still won't pay, attackers eventually dump all of the victims' stolen data, to serve as a cautionary lesson for future victims.

Arrests Spark Panic

What's changed in the 12 months since Egregor and its predecessors were last active?

For starters, the arrest last month of individuals with alleged ties to the REvil - aka Sodinokibi - ransomware operation by Russia's Federal Security Service, the FSB, has been causing panic, according to threat intelligence firms that monitor chatter on cybercrime forums.

Many criminals appear to be braced for further crackdowns, says Victoria Kivilevich, director of threat research at Israeli cybersecurity firm Kela.

"A lot of users on cybercrime forums were shocked by this operation because it breaks their belief in being safe from local law enforcement if you are not attacking Russian citizens and companies," she tells me. "They even claimed to be betrayed by the Russian government. However, some of them suppose that only low-ranking collaborators got caught and the arrests are related to tensions in Ukraine and Kazakhstan. Therefore it does not mean that all cybercriminals based in Russia are now in significantly higher danger."

Chatter on the cybercrime underground has suggested that Russian authorities had been exerting increasing pressure on some now-defunct ransomware operations or brands - including Avaddon, Hive, DarkSide and its spinoff BlackMatter - since at least spring 2021, says Yelisey Boguslavskiy, research director at New York-based threat intelligence firm Advanced Intelligence.

Boguslavskiy previously reported that pressure on Avaddon appeared to be happening ahead of the U.S.-Russia summit in Geneva between Presidents Joe Biden and Vladimir Putin in June 2021. At the summit, Biden repeated calls for Putin to crack down on cybercriminals operating from inside Russia's borders and hitting foreign targets (see: 'Fear' Likely Drove Avaddon's Exit From Ransomware Fray).

Ransomware Wielders Beware

Eight months later, the ransomware problem hardly remains solved. Cybersecurity authorities in Australia, the U.K. and U.S. on Wednesday warned that some of the most disruptive attacks ever - not least for critical infrastructure sectors - happened in 2021, and attackers appear poised to keep innovating.

The joint alert warns: "Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors' growing technological sophistication and an increased ransomware threat to organizations globally."

Thankfully, however, more ransomware-wielding attackers seem to be either directly or indirectly feeling the heat. This week's release of master keys, for example, "is another sign that ransomware gangs are rattled," Emsisoft's Callow says.

"Gangs' costs and risks are both increasing," he adds. "Ransomware became such an enormous problem because threat actors were able to operate with almost complete impunity. That's no longer the case."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.