The alleged developer of Maze, Sekhmet and Egregor ransomware released this week the master decryption keys for the malicious operations on the BleepingComputer forum.
A user named Topleak, claiming to be the developer for all three ransomware operations, has released the master decryption keys, saying that this was a planned leak and is in no way connected with the recent arrests of ransomware affiliates and the seizure of servers they used.
“Since it will raise too much clues and most of them will be false, it is necessary to emphasize that it is planned leak, and have no any connections to recent arrests and takedowns,” says the author of the post.
The post also stated that no team members will return to ransomware operations, and that the team destroyed all source code of their malicious projects. The blog post includes a download link that points to a 7z file, consisting of archived Maze, Sekhmet and Egregor decryption keys.
The encryption key archives each hold a public master encryption key and its private decryption counterpart associated with a specific affiliate of the ransomware operation.
The number of released RSA-2048 master decryption keys per operation is as follows:
- Maze: 30 master decryption keys plus nine master decryption keys for the older version of the malware that targeted non-corporate users
- Sekhmet: one master decryption key
- Egregor: 19 master decryption keys
Additionally, the 7z file hosts a fourth archive that holds the source code of the M0yv malware, also a tool the ransomware gang used as part of their operation.
"M0yv source is a bonus, because there was no any major source code of resident software for years now, so here we go," said the developer in its forum post.
M0yv is a modular x86/x64 file infector that Maze developers created and previously used in their attacks. The archived source code included in the 7z file is available as a Microsoft Visual Studio project and hosts some DLL files that are already compiled.