Inactive ransomware operator
← All groupsMaze
59 victims indexed · first seen 7 years ago · last activity 6 years ago
59
Victims indexed
#94 of 348 tracked operators
11m
Active period
Oct 2019 → Sep 2020
10
Countries hit
top United States · 40
At a glance
- Status
- inactive
- First seen
- 7 years ago
- Last activity
- 6 years ago
- Onion sites
- 1 known endpoint
- Primary sector
- Critical Manufacturing · 15 hits
About
Maze ransomware group emerged in October 2019 as a financially motivated cybercriminal organization that pioneered the "double extortion" model, threatening to publicly leak stolen victim data if ransom demands were not met. The group is believed to have originated from Russia or Eastern Europe based on their operational patterns and was suspected of having connections to the earlier Chacha ransomware, operating as an independent group rather than a ransomware-as-a-service model. Maze operators primarily gained initial access through exploit kits, RDP brute force attacks, and spear-phishing campaigns, utilizing tools like Cobalt Strike for lateral movement and typically exfiltrating sensitive data before deploying their custom ransomware that used a combination of RSA and ChaCha20 encryption algorithms. The group became notorious for high-profile attacks against major organizations including Cognizant, Xerox, LG Electronics, and several healthcare systems during the COVID-19 pandemic, with ransom demands often reaching millions of dollars and their leak site regularly publishing stolen data from non-paying victims. Maze officially announced their retirement in November 2020, claiming they were ceasing operations and transferring some of their affiliates to other ransomware operations like Egregor.
References
112 linksExternal sources curated by the MISP threat-intel community.
- malpedia.caad.fkie.fraunhofer.de/details/win.maze
- bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/
- proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us
- techcrunch.com/2020/11/02/maze-ransomware-group-shutting-down
- fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- secureworks.com/research/threat-profiles/gold-village
- adversary.crowdstrike.com/adversary/twisted-spider/
- analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel
- analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf
- blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer
- blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis
- blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html
- blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/
- blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html
- blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html
- blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html
- blogs.quickheal.com/maze-ransomware-continues-threat-consumers/
- cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
- cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf
- docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
Timeline
12 months2019-10-01T00:00:00+00:002020-09-01T00:00:00+00:00
Top countries
🇺🇸 United States
40
🇬🇧 United Kingdom
2
🇦🇺 Australia
2
🇨🇦 Canada
2
🇦🇪 UAE
2
🇹🇭 Thailand
2
🇧🇷 Brazil
1
🇵🇷 Puerto Rico
1
Top sectors
Critical Manufacturing
15
Information Technology
10
Financial
7
Transportation Systems
5
Healthcare and Public Health
5
Education Facilities
3
Food and Agriculture
3
Energy
2
MITRE ATT&CK
14 techniques · 9 tacticsTactics
Initial AccessExecutionPrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact
Techniques
- T1566Phishing
- T1190Exploit Public-Facing Application
- T1059Command and Scripting Interpreter
- T1055Process Injection
- T1548Abuse Elevation Control Mechanism
- T1562Impair Defenses
- T1027Obfuscated Files or Information
- T1003OS Credential Dumping
- T1021Remote Services
- T1135Network Share Discovery
- T1005Data from Local System
- T1039Data from Network Shared Drive
- T1041Exfiltration Over C2 Channel
- T1486Data Encrypted for Impact
Detection · YARA rules
2 rulesRansom_Maze
YARA rule from ATR/Trellix: ransomware/Ransom_Maze.yar
source: ATR/Trellix
Maze
YARA rule from Yara-Rules Community: malware/RANSOM_Maze.yar
source: Yara-Rules Community
Recent victims
Loading…
Onion infrastructure
1 known- http://xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onion
Source
Updated 6 years agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.