Many have speculated about a connection between Maze and Egregor ransomwares, but cybersecurity experts have stopped short of firmly connecting the two.
When Maze announced that it was shutting down its ransomware operation at the beginning of the month, the ransomware gang went out with an ostentatious announcement on its leak site, promising it will be back “when the world will be transformed.”
But there is speculation that Maze operators already moved to a new type of ransomware called Egregor. The apparent spinoff of Sekhmet ransomware was discovered in September and first revealed by security vendor Appgate; some researchers have noted Egregor shares similar techniques and technical aspects to Maze.
Besides using the same data theft and public shaming methods that Maze pioneered, new research by Kaspersky Lab noted similarities between the two ransomware types. “The obfuscation techniques used in Egregor strongly resemble those in Maze and Sekhmet: the code is ‘torn apart’ by control flow obfuscation using conditional and unconditional jumps, PUSH+JMP instead of RETN, and so on,” wrote Dmitry Bestuzhev, director of Kaspersky’s global research and analysis, and Fedor Sinitsyn, security researcher at Kaspersky.
With these similarities, plus the timing of when Egregor appeared, cybersecurity professionals began to theorize that Egregor could either be a new operation from Maze affiliates or, more aggressively, a potential rebrand of Maze.
Peter Mackenzie, incident response manager at Sophos Rapid Response, previously told SearchSecurity that as Maze attacks decline, Egregor attacks increase. While the timing could be a coincidence, he said, the similar tools, techniques and procedures lend weight to the theory that the same threat actors are involved.
Emsisoft threat analyst Brett Callow also said the theory is credible. He said it’s possible that Egregor threat actors are either Maze operators or affiliates who used Maze code.
“Maze had developed a reputation for being unreliable/unpredictable. They may well have felt the time had come for a rebrand,” Callow wrote in an email.
That said, as of this writing, there is no conclusive evidence that Egregor is in fact an explicit rebrand or even a successor. As Appgate security researcher Felipe Duarte Domingues explained, “At this point, there is no hard link connecting those two families. Neither of their public ‘wall-of-shame’ websites share common information, like targets. Also, the Maze website is very clear regarding the group not having any affiliation or official successor.”
However, Domingues added, “as Maze operations are being shut down, some of the operators and developers might seek to move to other cybercrime groups such as the one operating Egregor, so we need to be alert in the upcoming months about new strains of known malware, such as Egregor, sharing some techniques and exploits as Maze.”
Adam Kujawa, a director of Malwarebytes Labs, told SearchSecurity that regardless of Egregor’s connection, Maze’s influence guarantees a future of Maze-like attacks.
“There’s been speculation that Egregor ransomware, which emerged in September, may be from the Maze gang. Egregor is supposed to be built from the same ransomware source as Maze and they share some features. When GandCrab went down and REvil went up, there was a little overlap and I believe those ransom families are run by the same group. Egregor hasn’t made a huge splash yet, but now that Maze has ‘officially’ shut down, we might start to see heavy activity from that group, if they are indeed related,” Kujawa said in an email. “Either way, lessons learned by the Maze group, and the influence they have had on other ransom families (like LockBit) will guarantee more dangerous attacks.”