Sekhmet ransomware Analysis

Cyber Protect Cloud

Sekhmet ransomware, which first appeared in March 2020, has already disclosed the stolen data from at least six victims to date. One recent known attack that occurred on 20 June 2020 targeted SilPac, a gas handling solutions company based in Santa Clara, California.

Sekhmet ransomware adopts the Maze ransomware family’s encryption scheme

Sekhmet ransomware, which first appeared in March 2020, has already disclosed the stolen data from at least six victims to date. One recent known attack that occurred on 20 June 2020 targeted SilPac, a gas handling solutions company based in Santa Clara, California. Some of the company’s data was exfiltrated and published on Sekhmet's data leak site. The ransomware encrypts target files with the ChaCha20 symmetric encryption algorithm, making it similar to the Maze (previously known as “ChaCha ransomware”) and SunCrypt ransomware variants that are members of the Maze ransomware cartel.

Summary of Sekhmet

  • Discovered in March 2020.
  • Distributed as DLL and MSI executable files.
  • Steals files during execution to publish them on a data leak site if a victim refuses to pay.
  • The latest attacked organization is SilPac, a gas handling solutions company based in Santa Clara, California.
  • Uses ChaCha20 and RSA-2048 encryption algorithms.

Distribution of Sekhmet ransomware

Phishing emails are believed to be the likeliest attack vector to get initial access to the compromised machine, for example, via RDP exploits. After that, the attackers establish persistence and perform second-stage reconnaissance to identify valuable assets. Mimikatz and ProcDump tools may be used to find new credentials to proliferate the attack within the local network, using PsExec and WMI living-off-the-land tools to deliver a ransomware payload in the form of a DLL or MSI package for Windows to the intended targets.

DLL Overview

Sekhmet ransomware comes in two variants: an installer with the .msi extension and a dynamic linking library with .dll extension. The following is a description of the activity of the DLL ransomware used in the SilPac attack, though the functionality of MSI package is similar.

Except for the DLL entry point, the export directory comprises DllInstall, DllRegisterServer and DllUnregisterServer. These functions notify the system that the DLL can be installed, registered and unregistered by the way it performs using RegSvr32.exe with additional parameters as /u /n /i /s. It also can be launched with rundll32.exe.

Overall, Sekhmet contains four exported functions: DllInstall, DllRegisterServer, and DllUnregisterServer. By default, the DllRegisterServer() DLL handler is executed. It then calls DLLInstall , which is responsible for handling installation of the DLL. The function jumps inside another call that contains only conditional jumps without any other instructions, making it an endless loop. Thus, the DllInstall is just junk code that plays no role in ransomware activity. This is done to obfuscate the code and deceive API monitors used by anti-malware sandboxes.

The same implementation is for DllUnregisterServer, where it makes an infinite loop. This is another obfuscation technique to impede dynamic analysis of the ransomware payload by anti-malware measures.

The cryptolocker’s payload is executed in the DllRegisterServer export function.

Obfuscation techniques

Sekhmet hardens code analysis by creating a series of massive jump constructions which is called control flow obfuscation that includes:

  1. Conditional jumps redirect to the same location.
  2. Push and ret instruction are followed together.

The following code snippet from the DllRegisterServer() export function highlights the numerous junk jumps:

The following is an example of the first technique, in which two conditional jumps target the same location. If the first jump is taken, the code continues execution at 1006c25; otherwise the second jump is taken (as it is opposite to the first jump), so code continues execution at 1006c25, which can be replaced by a single absolute jump.

The second technique pushes the procedure address onto the stack, then retrieves it from the stack, then passes execution to the procedure using ‘retn’ instruction, which can be also replaced by a single absolute jump.

DllRegisterServer analysis

DllRegisterServer export function starts with decrypting the block of data which is 194,560 bytes in  size.

First, the data is Base64 decoded using CryptStringToBinaryA().

Next, Sekhmet prepares matrices that are XORed with the decoded Base64 output. The matrices are supposed to be created with the ChaCha20 encryption algorithm using the following initial matrix:

Except for ROTL (rotate left) operations used in ChaCha20, Sekhmet performs other manipulations like ROTR (rotate right) with different values to differentiate matrix blocks in eight rounds. After these procedures, the data block is totally decrypted and becomes another DLL to be allocated in memory and run inside the Sekhmet process. This technique is called Reflective DLL Loading.

MD5: 8803C4C229BD8F59720733AA57323DCB

SHA256: 8eec328dcce719a1820c3b4422f2d4053599954bb58408c693688650873bd445

The next step is gathering info about the victim’s computer to be added to the ransom note later. It collects the computer name, user name, domain data, OS version and edition, available logical drives, free space, and volume information.

After gathering this info, Sekhmet connects to ‘root\SecurityCenter2’ and ‘root\cimv2’ via WMI to delete any shadow copies and retrieve information about any antivirus measures installed on the machine, using the following SQL requests:

  • Select * from Win32_ShadowCopy
  • Select * from AntivirusProduct

Before starting encryption, Sekhmet terminates processes related to monitoring and data processing, including:

Sekhmet command and control communication

Sekhmet connects to one of the following IP addresses in order to exfiltrate user data:

After establishing the connection, the ransomware makes a POST request with the path /update.php?id=<USER_ID> and sends the encrypted user data.

The subnet to which these IP addresses belong is located either in Stockholm, Sweden or Riga, Latvia, according to various geolocation databases.

Sekhmet encryption

The encryption starts by importing the master public RSA-2048 key using the CryptImportKey() function.

Then Sekhmet generates two arrays of 32 bytes and 8 bytes using CryptGenRandom().

Sekhmet then uses the ChaCha20 encryption algorithm to encrypt files. The first array is the key itself; the second one is nonce.

During the encryption process, the ransomware avoids encrypting any folders and files having the following strings in their names and extensions:

Sekhmet uses the master public RSA-2048 key to encrypt the keys and nonce used by the ChaCha20 algorithm and appends the results to the footer of every encrypted file.

Sekhmet then uses GetTickCount() function to mark the files and construct a unique file extension. The value generated by the function is passed to the next piece of code and added as extra 2 bytes in the footer after the encrypted ChaCha20 key and nonce (as highlighted by the red rectangle).

The ransomware then XORes the value above with ‘0xDEADBABE’ and puts the ciphertext at the end of the file. Once the encryption is complete, the encrypted files look like the following:

Sekhmet leaves the ransom note ‘RECOVERY-FILES.txt’ in every folder with the following content:


| Attention! |


Your company network has been hacked and breached. We downloaded confidential and private data.

In case of not contacting us in 3 business days this data will be published on a special website available for public view.

Also we had executed a special software that turned files, databases and other important data in your network into an encrypted state using RSA-2048 and ChaCha algorithms.

A special key is required to decrypt and restore these files. Only we have this key and only we can give it to you with a reliable decryption software.


| How to contact us and be safe again |


The only method to restore your files and be safe from data leakage is to purchase a private key which is unique for you and securely stored on our servers.

After the payment we provide you with decryption software that will decrypt all your files, also we remove the downloaded data from your network and never post any information about you.

There are 2 ways to directly contact us:

1) Using hidden TOR network:


   a) Download a special TOR browser:

   b) Install the TOR browser

   c) Open our website in the TOR browser: http://o3n4bhhtybbtwqqs.onion/72A5A1A46B6054FF

   d) Follow the instructions on this page.

2) If you have any problems connecting or using TOR network


   a) Open our website:

   b) Follow the instructions on this page

On this web site, you will get instructions on how to make a free decryption test and how to pay.

Also it has a live chat with our operators and support team.


|Questions and answers|


We understand you may have questions, so we provide here answers to the frequently asked questions.


Q: What about decryption guarantees?

A: You have a FREE opportunity to test a service by instantly decrypting for free 3 files from every system in your network.

If you have any problems our friendly support team is always here to assist you in a live chat.



Q: How can we be sure that after the payment data is removed and not published or used in any nefarious ways?

A: We can assure you, downloaded data will be securely removed using DoD 5220.22-M wiping standart.

We are not interested in keeping this data as we do not gain any profit from it. This data is used only to leverage you to make a payment and nothing more.

On the market the data itself are relatively useless and cheap.

Also we perfectly understand that using or publishing this data after the payment will compromise our reliable business operations and we are not interested in it.



Q: How did you get into the network?

A: Detailed report on how we did it and how to fix your vulnerabilities can be provided by request after the payment.



This is techinal information we need to identify you correctly and give decryption key to you, do not redact!




The ransom note contains the Tor link http://o3n4bhhtybbtwqqs.onion/<USER_ID> and the public Internet link{USER_ID}, where USER_ID is the system drive’s volume identifier.

Decryption service for Sekhmet

When the victim follows the TOR link, he is prompted to upload the file ‘RECOVERY-FILES.txt’.

After uploading the ransom note, a victim is provided with several pieces of information to help them proceed with paying the ransom and gain confidence that the decryption keys they get in return will work:

  • Use the provided chat link to communicate with Sekhmet operators, where they can negotiate the price to recover their files.
  • List of sites where to buy a Bitcoin.
  • Trial decryption of 3 image files.

Sekhmet provides more than 20 official links where a victim can buy Bitcoins but does not yet disclose the names of the BTC wallets to which the ransom payment is to be transferred.

To gain confidence that the key to be provided in return for the ransom payment will actually work to decrypt their data, the victim is provided the keys to any three files (only bmp, jmp, gif and png files are allowed.)

Detection of Sekhmet by Acronis

Acronis Cyber Protection successfully blocks Sekhmet using a behavior blocking engine to detect anomalous file modification and tracing the file modification requests of the ransomware via IRPs. Any encrypted files can be recovered immediately from cache by the anti-ransomware module without having to pay any ransom.


Sekhmet ransomware is relatively uncommon among with Maze cartel variants, with only six known victims who refused to pay a ransom to date. Its encryption scheme shows strong similarities to the one used by the Maze and SunCrypt ransomware variants used by the Maze cybercriminal cartel.


MD5: b7ad5f7ec71dc812b4771950671b192a

SHA256: 0a739f4ec3d096010d0cd9fc0c0631f0b080cc2aad1f720fd1883737b6a6a952

MD5 (dropped): 8803C4C229BD8F59720733AA57323DCB

SHA256 (dropped): 8eec328dcce719a1820c3b4422f2d4053599954bb58408c693688650873bd445



More from Acronis