Garden maze
© ardiwebs/

The notorious Maze ransomware group claims to be shutting down operations in an announcement published on their website. The group is one of the most active data stealing ransomware groups. Yet the group claims they did not setup operations to extort businesses for financial gain. Rather to highlight the lax security measures utilized by their victims.

Maze Ransomware’s History

Maze began operations in May 2019 as yet another ransomware group infecting victims with file-encrypting malware. However, Maze became infamous towards the end of the same year for being the first ransomware group to exfiltrate data. The group was the first to steal victims’ data before encrypting it and then leaking it online if they didn’t pay the ransom. Since then, many other ransomware groups have copied this double extortion technique, including REvil, Nemty, Ryuk and Clop.

Maze initially used spam campaigns to infect victims. However, later it started using known security vulnerabilities to specifically target well-known large organizations such as Chub Insurance. Maze is known for using vulnerabilities in VPNs and the Remote Desktop Protocol (RDP) to launch targeted attacks. According to research conducted by FireEye (now known as Mandiant), there have been more than 100 Maze victims in the past year alone. Furthermore, the group have targeted virtually every geographic region and industry sector.

Then in June 2020, the group went on to form a cartel with fellow ransomware groups LockBit, RagnarLocker and SunCrypt. Experts believe that the Maze ransomware group shared resources as well as attack techniques and expertise with cartel members. However, in an announcement written in broken English and published yesterday on their website, the group denied the cartel had ever existed. This is despite Maze having referred to themselves as a cartel in the past.

“We never had partners or official successors. Our specialists do not works with any other software. Nobody and never will be able to host new partners at our news website. The Maze cartel was never exists and is not existing now. It can be found only inside the heads of the journalists who wrote about it,” the group stated.

The Announcement

In September 2020 rumors started surfacing that the Maze ransomware group was shutting down operations. Not long after reports appeared stating that Maze had stopped encrypting new victims and were cleaning up their website. Data stolen by Maze was being removed from their website and was thus no longer available on the dark web.

Then yesterday’s announcement from the Maze ransomware group, dated 1 November, confirmed the rumors. “Maze Team Project is announcing it is officially closed. All the links to out project, using of our brand, our work methods should be considered to be a scam,” the announcement stated. Again, the grammar and spelling errors in the announcement clearly indicate that English is not the Maze operators’ mother tongue.

As part of the announcement, Maze claims they did not setup operations to extort businesses for financial gain. Maze asserts they attacked victims to “remind you about secure data storage.” And to highlight how “our world is sinking in the recklessness and indifference, in laziness and stupidity” when it comes to cybersecurity. “With all your recklessness, unawareness and stupidity you are pushing the world into it.”

Are They Truly Shutting Down?

Many experts doubt that the Maze ransomware group is really shutting down. “Obviously, Maze’s claims should be taken with a very, very small pinch of salt,” said Brett Callow, threat analyst at security firm Emsisoft. “It’s certainly possible that the group feels they have made enough money to be able to close shop and sail off into the sunset. However, it’s also possible — and probably more likely — that they’ve decided to rebrand.”

Most experts believe that Maze is probably just switching to the Egregor operations. This is because Egregor, Maze and Sekhmet are all believed to have been created from the same underlying software. Egregor also shares ransomware notes and payment site naming schemes with both Maze and Sekhmet. The Egregor ransomware group reportedly took responsibility for Barnes & Noble’s cyberattack a week or so after the attack’s disclosure.

According to Peter Mackenzie, Incident Response Manger at Sophos Rapid Response, this type of shutdown has been seen before with other malware groups. “In June 2019, the operators behind GandCrab announced their retirement and all its affiliates moved to REvil; now the Maze affiliates are apparently moving across to a new group, Egregor, which according to public reports has access to Maze tools and infrastructure”, explained Mackenzie to ITWire. Consequently, Mackenzie warns that organizations shouldn’t let their guard down. Organizations “need to stay focused not on who attacks them, but how – and to continue to bolster their defences against cyber threats of all kinds, regardless of where they come from.”

In fact, Maze seems to imply in their announcement that they will return. “We will be back to you when the world will be transformed. We will return to show you again the errors and mistakes and to get you out of the Maze,” the operators state.

Leave a comment