The year 2020 has been an opportune time for threat actors due to the COVID-19 pandemic when several cyber threats have been observed accelerating their malicious activities. Yet another surprising news about one of the most prominent ransomware groups has been making headlines recently, which is kind of a relief for security agencies around the globe.
What was found?
From introducing a double-extortion tactic to launching a data leak site, and forming a ransomware cartel with other malware groups to share information and tactics, Maze ransomware has been very proactive in recent times.
- BleepingComputer found that the Maze ransomware group has been preparing to shut down its cybercrime operations from at least six weeks.
- The actions of Maze operators justify this shutdown rumor. The gang has stopped targeting new victims since September. Furthermore, it has started cleaning up its data leak site and is trying to squeeze the last ransom payments from already compromised victims.
- Later on, an associated threat actor involved in the earlier Maze attacks has confirmed that Maze is in the process of shutting down its operations.
Incandesce of Maze ransomware
Maze, before leaving its battlefield, claimed a few more victims recently to its list.
- Recently, Maze ransomware had targeted Toledo Public Schools and dumped more than 9GB of compressed data containing confidential and classified student and employee data.
- Maze also claimed to hit Fairfax County Public Schools in a cyberattack in September and leaked several hundreds of employee names, social security numbers, and other data in October.
Egregor in the wings
As the news of Maze retirement makes the rounds, several Maze affiliates have started switching over to a newer ransomware operation, called Egregor, which shares the same capabilities as Maze.
Retired or not
Maze gang has not announced any press release yet regarding the shutdown rumor, however, the quick shift of affiliates over to Egregor shows that even when a cybercrime operation shuts down, it does not mean the threat actors involved retire as well. They just move on to the next cybercrime operation.