Maze, Egregor and Sekhmet: response and recovery actions

Posted date 03/08/2023
Autor
INCIBE (INCIBE)
Decorative image with skull and red background

Maze, Egregor and Sekhmet are among the most prolific ransomware. Despite being the same ransomware, they are sometimes referred to by their individual name. Specifically, the Maze and Egregor variants rank second and third respectively, in terms of the total number of victims affected, only behind Conti, which illustrates their wide reach and the effectiveness of their attacks.

Maze was first spotted by a Malwarebytes analyst in May 2019 and quickly gained notoriety for being the first to adopt a double-extortion business model. This tactic involved not only encrypting user data and demanding a ransom for its unlocking, but also threatening to publish private information if the ransom payment was not met. In addition, Maze also stood out for its complexity to structure, since it incorporated multiple anti-detection mechanisms to circumvent the efforts of security solutions.

Following the announcement of Maze's closure in October 2020, it was renamed Egregor, which subsequently disappeared following the arrest of its members in Ukraine, while Operation Sekhmet was launched in March 2020. All of them share many features and similarities, such as the ransom note, the encryption process, or the domain names. In February 2021, the decryption keys for all variants were made public.

Characteristics

Below are the characteristics of this malware, taking Maze as a reference for analysis, although all three work very similarly.

Motivation 
Maze/Egregor/Sekhmet followed a RaaS (Ransomware as a Service) business model, through which cybercriminals could subscribe to use it in their own attacks, which favored its expansion and impact. In addition, its creators established an organizational structure on two levels, with a first group in charge of infiltrating the target network, and a second group that deployed the ransomware in the internal network. The benefits obtained from the rescue were distributed among all participants.

Designed to infiltrate Windows systems, it encrypted user data and demanded a ransom for unlocking, usually in cryptocurrencies, such as bitcoin. A peculiar feature of this ransomware is that, during the infection process, the language configuration of the system was verified, aborting the attack if the system was in Russian or another language of some country of the Commonwealth of Independent States (CIS), probably to avoid conflicts with the local authorities of those countries, where it is suspected that many of these groups of attackers were located.

After a successful attack, the malware operators  extorted their victim with revealing the information if the ransom was not paid within a maximum period of three days, even selling the data obtained to other cybercriminals, if interested buyers appeared.

Imagen de países infectados por Maze 
- Countries infected by Maze - Source -

Infection and spread 
The tactics employed by Maze/Egregor/Sekhmet for infection and spread are similar to those of many other ransomwares. Prior to the attack, they needed to obtain system privileges through conventional methods, such as using brute force on Remote Desktop (RDP) connections, exploiting software vulnerabilities, and phishing techniques. These privileges were used to deploy the ransomware on as many systems as possible. Once it was inside the network, it was deployed manually. This deployment was usually done with the support of specialized tools such as Cobalt Strike or malware services such as QakBot or ProLock, which were useful for propagation to other systems.

Detection evasion and recovery

  • Using a loader for obfuscation: The malware operated in two stages and ran through a DLL with rundll32. The first phase protected access to the malicious code through a password that was supplied by the command line. This password was used to activate the second phase and decrypt the ransomware, which was contained in a different DLL. It also contained the essential components responsible for launching the encryption process, the ransom message, and the 2048-bit RSA public keys, which were embedded directly in the ransomware's code.

Contraseña proporcionada como argumento para desempaquetar el ransomware Maze 
- Password Provided as Argument to Unpack Maze Ransomware - Source -

  • Process shutdown on target files: The binary included a blacklist of processes and services that needed to be stopped, as they stopped the ransomware during its execution, thus ensuring that the target files were not opened and blocked by other processes. Depending on the malware strain, they used a custom hashing function with the  name of all the processes running on the system and compared them with the built-in hash list, thus avoiding suspicious strings in the binary and easy detection.

    Imagen de Verificación del proceso en ejecución de Maze con función hash personalizada 
    - Verifying the Maze Running Process with Custom Hash - Source -

  • Static scan detection: The isDebuggerPresent function was used to detect if malware was being analyzed, which caused the ransomware to execute an infinite loop and not perform malicious operations.
  • Dynamic analysis circumvention: A technique consisting of a memory patch of DbgUIRemoteBreakin, a function that is used by analyzers when connected to a process, was employed. After allowing write access to the address of that function with VirtualProtect, the malware modified the first byte pointed by that address with the value "0x3C", which corresponds to the "ret" operation. This means that every time a scanner tries to connect to the malware process, it would execute the "ret" instruction and exit automatically.

Encryption 
Two algorithms were employed during the encryption phase and used a combination of several encryption processes to protect all keys. For each file that it encrypts, a unique ChaCha8 key (a stream-symmetric encryption algorithm, which uses 256-bit keys) and a nonce (a unique value used for each encryption session, ensuring that the same file is not encrypted in the same way if it is encrypted more than once) are generated.

These ChaCha8 keys  and the nonces (initialization vectors) are then encrypted with a 2048-bit RSA public key, which was generated along with its private counterpart at the start of execution. An RSA key encoded in the ransomware's settings is then used to encrypt this RSA key pair, before saving them to the local disk path: %ProgramData%\dtb.dat. Depending on the incident analyzed, the result of this process could also be found in the ransom notes.

Therefore, only the operators of the ransomware possessed the private key that could decrypt the session key used to decrypt the ChaCha8 keys that encrypted each file. This chain of encryption made it extremely difficult, if not impossible, for anyone else to decrypt the files, without the corresponding private key.

Response and disinfection

Since the decryption keys of Maze, Egregor and Sekhmet were made public, several manufacturers, such as Emsisoft or Kaspersky, created automatic tools to facilitate the recovery of files encrypted by any of these variants, which are available on the NoMoreRansom project page.

It is important to note that the decryption process is not guaranteed, as they may not be compatible with the malware variant used.

The decryption process using one of these tools is described below, namely Emsisoft's, which works for all three variants:

  • First of all, the ransom note of the ransomware must be loaded into the tool. Through it, the software will identify the necessary private key and display an error message in case the version is not supported.

Imagen Opciones de la herramienta de Emsisoft 
- Emsisoft tool options. Source -

Imagen de Mensaje de error de la herramienta si no es capaz de encontrar la clave privada de RSA

- Error message from the tool if it is unable to find the RSA private key -

  • If no problem arises, a window is displayed showing the key found:

    Imagen de Comprobación de la nota de rescate

    - Checking the ransom note. Source -

  • After this step, the tool allows you to search for encrypted files in multiple paths. By default, it shows the main storages, although it allows you to customize the list and add specific folders before starting the process.
  • During execution, a log is displayed detailing the progress of file recovery. At the end of the process, the files should already be available. Additionally, a detailed report of the decryption process can be saved using the "save log" button, which can be used to share it with researchers or store it as evidence of the process.

Imagen de Finalización exitosa del proceso de descifrado 
- Successful completion of the decryption process. Source -

Conclusions

The case of Maze/Egregor/Sekhmet illustrates the constant evolution and adaptation of ransomware threats that, despite their disappearance, their legacy can endure and serve as a basis for new ransomware, underlining the importance of constant maintenance and security updates, as well as proactive prevention strategies. Cybersecurity cannot be a secondary consideration, as threats continue to evolve and adapt to exploit existing vulnerabilities in an organization's defenses. Even with the availability of decryption tools, the emphasis must remain on prevention.

Etiquetas