Sekhmet Double Extortion Ransomware

Sekhmet: Targeted Ransomware with Data Theft and Extortion Capabilities

Sekhmet is a sophisticated ransomware family that surfaced in early 2020, used in human-operated attacks against businesses and institutions. It encrypts files on compromised networks and demands a ransom payment in cryptocurrency, threatening to publish stolen data if the victim refuses to pay — a tactic known as double extortion. Sekhmet is believed to be operated by the same group behind the Maze and Egregor ransomware, sharing infrastructure, techniques, and codebase similarities.

The ransomware is named after Sekhmet, the ancient Egyptian goddess of war and retribution — reflecting the threat actors’ intention to intimidate and pressure victims into compliance.

Introduction to Sekhmet

Like its related strains, Sekhmet is deployed after initial access is gained through phishing, remote desktop exploitation, or compromised credentials. Operators move laterally through the network, exfiltrate data, and deploy the ransomware payload manually to maximize damage. The group behind Sekhmet maintains a data leak site, where they publish stolen files from non-compliant victims, adding pressure to pay.

---

1. How Sekhmet Works

Infection Mechanism:
Sekhmet isn’t distributed automatically like a worm — it’s used in targeted attacks. Entry points include:

• Phishing emails with malicious attachments
• Exploited remote services, like RDP or VPNs
• Credential theft through stealer malware or brute-force attacks

Payload Execution:
Once inside the target environment, attackers:

• Perform network reconnaissance and privilege escalation
• Use tools like Cobalt Strike, Mimikatz, and PowerShell
• Exfiltrate sensitive files to a remote server
• Deploy Sekhmet ransomware across endpoints and servers
• Encrypted files are renamed with a .sekhmet extension, and a ransom note is dropped in each directory

The note provides contact info and threats to leak stolen data if payment is not made.

---

2. History and Notable Campaigns

Origin and Discovery:
Sekhmet was first observed in the wild in March 2020, and researchers quickly noted similarities with Maze and Egregor ransomware families.

Notable Campaigns:

• Attacks have targeted enterprises in healthcare, manufacturing, and tech
• The Sekhmet group published data leaks on a dedicated dark web site
• After Maze operations shut down in late 2020, the threat actors appeared to shift focus to Egregor, which also resembles Sekhmet in behavior and code

---

3. Targets and Impact

Targeted Victims and Sectors:
Sekhmet attacks have affected:

• Medium to large businesses, especially in the U.S. and Europe
• Industries like healthcare, legal services, logistics, and manufacturing
• Environments with poor segmentation or weak remote access controls

Consequences:

• Data encryption, halting business operations
• Data theft and publication threats
• Reputation damage and potential regulatory fines for data exposure
• Long recovery times and expensive ransom payments

---

4. Technical Details

Payload Capabilities:

• Encrypts files using strong RSA-2048 + ChaCha20 encryption
• Deletes shadow copies and backups to prevent recovery
• Drops a ransom note (RECOVER-FILES.txt) with payment instructions
• Collects system metadata and sends it to the C2 server
• Can be configured with custom ransom demands per victim

Evasion Techniques:

• Uses legitimate admin tools (living off the land) to avoid detection
• Disables Windows Defender and other endpoint protection tools
• Deploys at off-hours to delay detection
• Often encrypted and packed to evade static analysis

---

5. Preventing Sekhmet Infections

Best Practices:

• Enforce multi-factor authentication on all remote access tools
• Disable RDP when not needed, or restrict to VPN-only access
• Keep systems patched, especially VPNs, firewalls, and email gateways
• Use least privilege principles and monitor for lateral movement
• Regularly back up systems and store backups offline

Recommended Security Tools:

• EDR platforms (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint)
• SIEM tools for early detection of lateral movement and privilege escalation
• Network segmentation and access control
• Email filtering solutions to block phishing payloads

---

6. Detecting and Removing Sekhmet

Indicators of Compromise (IoCs):

• .sekhmet file extensions or presence of ransom notes
• Sudden deletion of shadow copies or backup tools disabled
• Unusual PowerShell or Cobalt Strike activity
• Outbound connections to Tor hidden services or known leak domains
• File encryption events in logs with no user action

Removal Steps:

1. Immediately isolate infected systems from the network
2. Power down critical systems to halt propagation
3. Engage incident response teams to investigate scope and impact
4. Restore clean systems from offline backups
5. Rotate all credentials, especially for privileged accounts

Professional Help:
Due to the complexity and data exposure risk, Sekhmet attacks require a professional incident response team, and in many cases, legal counsel and data breach compliance experts.

---

7. Response to a Sekhmet Infection

Immediate Steps:

• Disconnect from the internet and isolate affected systems
• Preserve logs and encrypted files for forensic analysis
• Notify relevant authorities and compliance officers
• Begin secure communication with affected stakeholders
• Prepare for potential public data leaks if ransom is not paid

---

8. Legal and Ethical Implications

Legal Considerations:

• Sekhmet often steals and publishes sensitive data, potentially triggering data breach disclosure laws (e.g., GDPR, HIPAA)
• Organizations that pay ransoms may face legal or reputational consequences
• Ransomware response may require law enforcement notification depending on jurisdiction

Ethical Considerations:
Sekhmet’s use of double extortion creates an ethical dilemma: pay to protect victims’ privacy, or refuse and risk data exposure. It also raises questions about the responsibility of companies in securing personal and proprietary data.

---

9. Resources and References

• Acronis: Sekhmet Ransomware Analysis
• Malwarebytes Lab: Ransom.Sekhmet Family of Ransomware
• Trend Micro Threat Encyclopedia: Ransom.Win32.SEKHMET.A
• CERT advisories on ransomware best practices
• MITRE ATT&CK Techniques:
  • T1486 (Data Encrypted for Impact)
  • T1078 (Valid Accounts)
  • T1047 (Windows Management Instrumentation)
  • T1562 (Impair Defenses)

---

10. FAQs about Sekhmet

Q: What is Sekhmet ransomware?
A targeted ransomware strain used to encrypt files and extort businesses, often with threats to leak stolen data.

Q: How does Sekhmet spread?
Through phishing, exposed RDP, or stolen credentials, often as part of human-operated campaigns.

Q: Does Sekhmet steal data?
Yes — it exfiltrates data before encryption and threatens to leak it if payment isn’t made.

Q: Can it be decrypted?
No known public decryption tools exist. Recovery depends on backups or paying the ransom (not recommended).

---

11. Conclusion

Sekhmet is a high-risk ransomware threat tied to some of the most organized and aggressive cybercriminal groups. Its blend of encryption, data theft, and public shaming makes it dangerous not just to IT infrastructure, but to an organization’s brand and trust. Combating Sekhmet requires not just detection tools, but strong preparation, segmentation, and a rapid response plan.

 

 

« Back to the Virus Information Library

« Back to the Security Center