BLOG: What is Maze Ransomware?

Maze ransomware is a complex strain of Windows ransomware, this strain targets organisations worldwide across many industries. Commonly seen in other forms of ransomware, Maze demands a cryptocurrency payment in exchange for the safe retrieval and recovery of stolen and encrypted data. Maze was initially discovered in May 2019, Maze was developed as a variant of “ChaCha” ransomware.

The end of 2019 was a turning point for Maze as they began their targeting of numerous industries. Maze is typically dispersed through spam emails by using malicious links or attachments (mostly Word or Excel files), RDP brute force attacks which are attacks that use ‘trial-and-error’ to guess login details, encryption keys, or find a hidden web page. These attacks are performed through the use of excessive forceful attempts to try and gain access into accounts and using exploit kits that were established in order to routinely and silently exploit vulnerabilities on victims’ machines while browsing the web.

Maze is a combination of a ransomware attack and a data breach. Once Maze gains access to a network, the operators then try to get elevated privileges so that they can implement file encryption across all drives. Maze is dangerous because it also steals data and exfiltrates it to servers dominated by malicious hackers who then threaten to release it if a ransom is not paid. Organisations with a secure backup may be able to restore their data and resume regular scheduling (if the backup itself has not been compromised, click here to read more about this in our ransomware handbook), but that does not take away from the issue that cybercriminals now have a copy of the organisation’s data. Maze creators operate a website where they list their victims (whom they refer to as “clients”). They use the website to frequently publish samples of stolen data as a form of punishment. The website includes details of when organisations and individuals were victims of attacks by Maze ransomware as well as links to downloads of stolen data and documents as “proof”. Daringly, the website features the paradoxical slogan “Keeping the world safe” and includes social sharing buttons so details of data breaches can be shared via social media.

The Maze ransomware website warns victims that, if the ransom is not paid, they will release public details of security breaches and inform the media, sell stolen information with commercial value on the dark web, Inform any relevant stock exchanges about the hack and loss of sensitive information to drive down the company’s share price and use stolen information to attack clients and partners as well as inform them that the company was hacked

Last year saw the criminals behind Maze teamed up with two other cybercriminal groups, LockBit and RagnarLocker. The cybercriminals merged their effort creating a ‘cartel’ of independent and competing ransomware operations, they shared intelligence with the goal of driving successful extortions and the data that was stolen by these groups was published on the Maze website. Following this collaboration, Maze used execution techniques that were previously only used by RagnarLocker.

Last year saw the criminals behind Maze teamed up with two other cybercriminal groups, LockBit and RagnarLocker. The cybercriminals merged their effort creating a ‘cartel’ of independent and competing ransomware operations, they shared intelligence intending to drive successful extortions and the data that was stolen by these groups was published on the Maze website. Following this collaboration, Maze used execution techniques that were previously only used by RagnarLocker.

In late 2020, the Maze ransomware group announced it was shutting down and stated they would no longer be updating their website and that victims who wanted their data removed could contact their “support chat”. The group alleged that they began attacks in order to “raise awareness of cybersecurity” alongside confusingly claiming that the group had never really existed outside the heads of journalists who wrote about it.

Despite claiming to have disbanded, in the past, many ransomware groups and operators have announced they are quitting but later re-emerged and rebranded through the use of teaming up with fellow ransomware groups or taking new aliases. Two new emerging ransomware strains ‘Egregor’ and ‘Sekhmet’ have been observed for their similarities to Maze and there is a strong indication that the group is simply pivoting to a new wave of cyber-attacks.