{
	"id": "db84ef5b-dd3f-43c5-9ac4-b3a8ca08915d",
	"created_at": "2026-04-06T00:16:46.417951Z",
	"updated_at": "2026-04-10T03:21:54.187418Z",
	"deleted_at": null,
	"sha1_hash": "3ffa3de1703074bea798458b7d6a52a4fb1bb25b",
	"title": "Ransomware dev releases Egregor, Maze master decryption keys",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3312480,
	"plain_text": "Ransomware dev releases Egregor, Maze master decryption keys\r\nBy Lawrence Abrams\r\nPublished: 2022-02-09 · Archived: 2026-04-05 15:49:07 UTC\r\nThe master decryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released last night on the\r\nBleepingComputer forums by the alleged malware developer.\r\nThe Maze ransomware began operating in May 2019 and quickly rose to fame as they were responsible for the use of data\r\ntheft and double-extortion tactics now used by many ransomware operations.\r\nAfter Maze announced its shutdown in October 2020, they rebranded in September as Egregor, who later disappeared\r\nafter members were arrested in Ukraine.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nThe Sekhmet operation was somewhat of an outlier as it launched in March 2020, while Maze was still active.\r\nMaster decryption keys released\r\nFast forward 14 months later, and the decryption keys for these operations have now been leaked in the\r\nBleepingComputer forums by a user named 'Topleak' who claims to be the developer for all three operations.\r\nThe poster said that this was a planned leak and is not related to recent law enforcement operations that have led to\r\nthe seizing of servers and the arrests of ransomware affiliates.\r\n\"Since it will raise too much clues and most of them will be false, it is necessary to emphasize that it is planned leak, and\r\nhave no any connections to recent arrests and takedowns,\" explained the alleged ransomware developer.\r\nThey further stated that none of their team members will ever return to ransomware and that they destroyed all of the source\r\ncode for their ransomware.\r\nForum post leaking Maze, Egregor, and Sekhmet decryption keys\r\nSource: BleepingComputer\r\nThe post includes a download link for a 7zip file with four archives containing the Maze, Egregor, and Sekhmet decryption\r\nkeys, and the source code for a 'M0yv' malware used by the ransomware gang.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/\r\nPage 3 of 6\n\nArchive containing the leaked decryption keys\r\nSource: BleepingComputer\r\nEach of these archives contains the public master encryption key and the private master decryption key associated with a\r\nspecific \"advert\", or affiliate of the ransomware operation.\r\nIn total, the following are the number of RSA-2048 master decryption keys released per ransomware operation:\r\nMaze: 9 master decryption keys for the original malware that targeted non-corporate users.\r\nMaze: 30 master decryption keys.\r\nEgregor: 19 master decryption keys.\r\nSekhmet: 1 master decryption key.\r\nEmsisoft's Michael Gillespie and Fabian Wosar has reviewed the decryption keys and confirmed to BleepingComputer that\r\nthey are legitimate and can be used to decrypt files encrypted by the three ransomware families.\r\nGillespie told us that the keys are used to decrypt a victim's encrypted keys that are embedded in a ransom note.\r\nEncrypted key in Maze ransom note\r\nSource: BleepingComputer\r\nEmsisoft has released a decryptor to allow any Maze, Egregor, and Sekhmet victims who have been waiting to recover their\r\nfiles for free.\r\nEmsisoft decryptor for Maze, Egregor, and Sekhmet\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/\r\nPage 4 of 6\n\nTo use the decryptor, victims will need ransom note created during the attack as it contains the encrypted decryption key.\r\nBonus M0yv malware source code\r\nThe archive also includes the source code for the M0yv 'modular x86/x64 file infector' developed by the Maze ransomware\r\noperation and used previously in attacks.\r\n\"Also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild\r\nas Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with\r\ngazavat,\" the ransomware developer said in the forum post.\r\n\"M0yv source is a bonus, because there was no any major source code of resident software for years now, so here we go,\"\r\nthe developer later explained.\r\nThis source code come in the form of a Microsoft Visual Studio project and includes some already compiled DLLs.\r\nSource code snippet for the M0yv malware\r\nSource: BleepingComputer\r\nThe todo.txt file indicates the source code for this malware was last updated on January 19th, 2022.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/"
	],
	"report_names": [
		"ransomware-dev-releases-egregor-maze-master-decryption-keys"
	],
	"threat_actors": [],
	"ts_created_at": 1775434606,
	"ts_updated_at": 1775791314,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3ffa3de1703074bea798458b7d6a52a4fb1bb25b.pdf",
		"text": "https://archive.orkl.eu/3ffa3de1703074bea798458b7d6a52a4fb1bb25b.txt",
		"img": "https://archive.orkl.eu/3ffa3de1703074bea798458b7d6a52a4fb1bb25b.jpg"
	}
}