Skip to main content

Operator dossier

Maze is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 59 public victims claimed by this operator between October 21, 2019 and September 11, 2020. Maze ransomware group emerged in October 2019 as a financially motivated cybercriminal organization that pioneered the "double extortion" model, threatening to publicly leak stolen victim data if ransom demands were not met. The group is believed to have originated from Russia or Eastern Europe based on their operational patterns and was suspected of having connections to the earlier Chacha ransomware, operating as an independent group rather than a ransomware-as-a-service model. Maze operators primarily gained initial access through exploit kits, RDP brute force attacks, and spear-phishing campaigns, utilizing tools like Cobalt Strike for lateral movement and typically exfiltrating sensitive data before deploying their custom ransomware that used a combination of RSA and ChaCha20 encryption algorithms. The group became notorious for high-profile attacks against major organizations including Cognizant, Xerox, LG Electronics, and several healthcare systems during the COVID-19 pandemic, with ransom demands often reaching millions of dollars and their leak site regularly publishing stolen data from non-paying victims. Maze officially announced their retirement in November 2020, claiming they were ceasing operations and transferring some of their affiliates to other ransomware operations like Egregor.

Most-affected countries

Recent disclosures by Maze

All 59 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Maze

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Maze

59 victims indexed · first seen 7 years ago · last activity 6 years ago

59
Victims indexed
#100 of 364 tracked operators
11m
Active period
Oct 2019 → Sep 2020
10
Countries hit
top United States · 40

At a glance

Status
inactive
First seen
7 years ago
Last activity
6 years ago
Onion sites
1 known endpoint
Primary sector
Critical Manufacturing · 15 hits

About

Maze ransomware group emerged in October 2019 as a financially motivated cybercriminal organization that pioneered the "double extortion" model, threatening to publicly leak stolen victim data if ransom demands were not met. The group is believed to have originated from Russia or Eastern Europe based on their operational patterns and was suspected of having connections to the earlier Chacha ransomware, operating as an independent group rather than a ransomware-as-a-service model. Maze operators primarily gained initial access through exploit kits, RDP brute force attacks, and spear-phishing campaigns, utilizing tools like Cobalt Strike for lateral movement and typically exfiltrating sensitive data before deploying their custom ransomware that used a combination of RSA and ChaCha20 encryption algorithms. The group became notorious for high-profile attacks against major organizations including Cognizant, Xerox, LG Electronics, and several healthcare systems during the COVID-19 pandemic, with ransom demands often reaching millions of dollars and their leak site regularly publishing stolen data from non-paying victims. Maze officially announced their retirement in November 2020, claiming they were ceasing operations and transferring some of their affiliates to other ransomware operations like Egregor.

References

112 links

External sources curated by the MISP threat-intel community.

Timeline

12 months
2019-10-01T00:00:00+00:00 · 12019-11-01T00:00:00+00:00 · 12019-12-01T00:00:00+00:00 · 62020-01-01T00:00:00+00:00 · 12020-02-01T00:00:00+00:00 · 32020-03-01T00:00:00+00:00 · 32020-04-01T00:00:00+00:00 · 72020-05-01T00:00:00+00:00 · 82020-06-01T00:00:00+00:00 · 212020-07-01T00:00:00+00:00 · 32020-08-01T00:00:00+00:00 · 22020-09-01T00:00:00+00:00 · 3
2019-10-01T00:00:00+00:002020-09-01T00:00:00+00:00

Top countries

🇺🇸 United States
40
🇬🇧 United Kingdom
2
🇦🇺 Australia
2
🇨🇦 Canada
2
🇦🇪 UAE
2
🇹🇭 Thailand
2
🇧🇷 Brazil
1
🇵🇷 Puerto Rico
1

Top sectors

Critical Manufacturing
15
Information Technology
10
Financial
7
Transportation Systems
5
Healthcare and Public Health
5
Education Facilities
3
Food and Agriculture
3
Energy
2

MITRE ATT&CK

14 techniques · 9 tactics

Tactics

Initial AccessExecutionPrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1055Process Injection
  • T1548Abuse Elevation Control Mechanism
  • T1562Impair Defenses
  • T1027Obfuscated Files or Information
  • T1003OS Credential Dumping
  • T1021Remote Services
  • T1135Network Share Discovery
  • T1005Data from Local System
  • T1039Data from Network Shared Drive
  • T1041Exfiltration Over C2 Channel
  • T1486Data Encrypted for Impact

Detection · YARA rules

2 rules
  • Ransom_Maze

    YARA rule from ATR/Trellix: ransomware/Ransom_Maze.yar

    source: ATR/Trellix

  • Maze

    YARA rule from Yara-Rules Community: malware/RANSOM_Maze.yar

    source: Yara-Rules Community

Recent victims

Loading…

Onion infrastructure

1 known
  • http://xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onion

Source

Updated 6 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Maze posts a victim.

Add Maze to your watchlist — Pro pings you within 5 minutes of any new Maze leak-site post, Telegram callout, or affiliate-rebrand inference.