Not much is known about Sekhmet ransomware, but reports about this strain of ransomware started surfacing around May of this year. The ransomware follows the recent trend of exposing the stolen files if the ransom demand is not met.

As opposed to the information gathered online about the infection method of Sekhmet, we observed the threat actor use stolen domain admin credentials in order to log on to critical servers via Remote Desktop Protocol and execute the malware manually.

Minerva labs product prevented a live Sekhmet ransomware infection at our client’s server, using our Memory Injection Prevention, blocking the malwares in-memory code unpacking routine:

Update December 2020:

Recent report by Minerva Labs research team has identified this sample as Egregor ransomware instead of his closely related cousin, Sekhmet.