Maze ransomware is going out of the business

The Maze ransomware operators are shutting down their operations for more than one year the appeared on the threat landscape in May 2019.

The Maze cybercrime gang is shutting down its operations, it was considered one of the most prominent and active ransomware crew since it began operating in May 2019. The gang was the first to introduce a double-extortion model in the cybercrime landscape at the end of 2019.

At the end of 2019, the Maze ransomware implemented data harvesting capabilities and started threatening the victims to release the stolen data for all those victims who refuse to pay the ransom.

The operators behind the Maze ransomware set up a leak site, dubbed Maze News, where they were publishing the list of the companies that allegedly refused to pay the ransom.

The leak site contains for each victim the data related to the infection, including the date of the attack, some stolen documents (Office, text and PDF files), the size of stolen data, and the list of IP addresses and machine names of the infected servers.

The Maze News site was also and used to publish press releases for the activities of the group.

The double-extortion technique was later adopted by other ransomware gangs, including REvil, DoppelPaymer, Nefilim, and Clop.

The list of victims of the gang is long and includes the Steel sheet giant Hoa Sen Group, Southwire, Canon, LG Electronics, Xerox, and City of Pensacola. 

According to BleepingComputer, Maze had stopped encrypting new victims since September 2020 and is collecting the last ransom payments from victims.

This week, Maze has started to remove victims from their data leak site except for two organizations that already had all of their data published..

At the time it is not clear if Maze operators plan to release the keys to allow its victims to decrypt their files after they shut down the operations.

BleepingComputer speculates that Maze affiliates have switched to the Egregor operations, the gang that recently hit the game developer Crytek and leaked files allegedly stolen from the systems of the gaming firm Ubisoft.

“Egregor is believed to be the same underlying software as both Maze and Sekhmet as they utilize the same ransom notes, similar payment site naming, and share much of the same code.” states BleepingComputer.

“This was also confirmed by a ransomware threat actor who stated that Maze, Sekhmet, and Egregor were the same software.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Maze)

[adrotate banner=”5″]

[adrotate banner=”13″]