Skip to main content

A new ransomware is about to fill the void left behind by Maze

ransomware
(Image credit: Image Credit: WK1003Mike / Shutterstock )

The operators of Maze, a popular ransomware that compromised a number of high-profile companies such as Canon and Xerox, have announced they will disband.

However, according to a ZDNet report, ransomware operators are queueing up to become the successor to the throne. The most likely candidate appears to be a ransomware called Egregor, which is allegedly a a spin-off of Ransom.Sekhmet.

Analysts claim Egregor has been active for almost two months now, and was allegedly behind recent attacks on GEFCO and Barns & Noble.

Egregor operates under a Ransomware-as-a-Service model, which allows cybercriminals to use the service on a subscription basis. Any ransom earned via an attack is split between the operator and the group responsible for the attack.

In one ransom note sample, the victims are told to establish contact over Tor or a dedicated website and organize the payment of the ransom. As usual with modern ransomware, if a victim decides not to pay the ransom, they can expect the data to be leaked online.

"In one of the execution stages, the Egregor payload can only be decrypted if the correct key is provided in the process' command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn't provided," the researchers noted.