{
	"id": "dd3c00d2-c485-478f-81fc-bd4795973226",
	"created_at": "2026-04-06T00:08:53.760402Z",
	"updated_at": "2026-04-10T13:11:41.207718Z",
	"deleted_at": null,
	"sha1_hash": "87f4f9bc8e2523a02e544e3dc094fee135109b4b",
	"title": "Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 214084,
	"plain_text": "Master decryption keys for Maze, Egregor, and Sekhmet\r\nransomware leaked\r\nBy Pierluigi Paganini\r\nPublished: 2022-02-09 · Archived: 2026-04-05 16:27:09 UTC\r\n Pierluigi Paganini February 09, 2022\r\nThe master decryption keys for the Maze, Egregor, and Sekhmet ransomware\r\noperations were released last night on the BleepingComputer forums.\r\nThe master decryption keys for the Maze, Egregor, and Sekhmet ransomware families were released on the\r\nBleepingComputer forums by the alleged malware developer.\r\nThe Maze group was considered one of the most prominent ransomware operations since it began operating in\r\nMay 2019. The gang was the first to introduce a double-extortion model in the cybercrime landscape at the end of\r\n2019. At the end of 2019, the Maze ransomware implemented data harvesting capabilities and started threatening\r\nthe victims to release the stolen data for all those victims who refuse to pay the ransom.\r\nIn November 2020, the Maze ransomware operators announced that they have officially shut down their\r\noperations and denied the creation of a cartel.\r\nMaze operation then rebranded in September as Egregor, but on February 2021 several members of the Egregor\r\ngroup were arrested in Ukraine.\r\nhttps://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html\r\nPage 1 of 2\n\nThe Sekhmet operation was launched in March 2020 and it has some similarities with the above ransomware\r\noperations.\r\nWhile TTP’s of Egregor operators are almost identical to that of ProLock, the analysis of Egregor ransomware\r\nsample obtained during an incident response conducted by Group-IB revealed that the executable code of Egregor\r\nis very similar to Sekhmet. The two strains share some core features, use similar obfuscation technique. Egregor\r\nsource code bears similarities with Maze ransomware as well.\r\nNow the decryption keys for these operations have now been leaked in the BleepingComputer forums. The keys\r\nwere shared by a user named ‘Topleak’ who claims to be the developer for all three operations.\r\n“Hello, It’s developer. It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware\r\nfamilies. also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv\r\ndetected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no\r\nsingle thing in common with gazavat.” the user wrote on the forum.\r\n“Each archive with keys have corresponding keys inside the numeric folders which equal to advert id in the\r\nconfig. In the “OLD” folder of maze leak is keys for it’s old version with e-mail based. Consider to make\r\ndecryptor first for this one, because there were too many regular PC users for this version. Enjoy!”\r\nTopLeak user pointed out that it is a planned leak, and is not linked to recent arrests and takedowns conducted by\r\nlaw enforcement. The alleged ransomware developer added that none of the ransomware gang will ever return in\r\nransomware operation and that the source code of tools ever made is wiped out.\r\nIn one of the archives leaked by the user there is the source code for a malware dubbed ‘M0yv’ that was part of\r\nthe gang’s arsenal.\r\nThe popular malware researchers Michael Gillespie and Fabian Wosar confirmed to BleepingComputer that they\r\nare decryption keys are legitimate and allow to decrypt files encrypted by the three ransomware families for free.\r\nEmsisoft has released a decryptor a free decryption tool for the Maze, Egregor, and Sekhmet ransomware.\r\nFollow me on Twitter: @securityaffairs and Facebook\r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, Maze ransomware)\r\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nSource: https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html\r\nhttps://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html"
	],
	"report_names": [
		"egregor-sekhmet-decryption-keys.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434133,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/87f4f9bc8e2523a02e544e3dc094fee135109b4b.pdf",
		"text": "https://archive.orkl.eu/87f4f9bc8e2523a02e544e3dc094fee135109b4b.txt",
		"img": "https://archive.orkl.eu/87f4f9bc8e2523a02e544e3dc094fee135109b4b.jpg"
	}
}