The Life and Times of Maze Ransomware

Amid speculations, the infamous Maze ransomware gang has finally announced its retirement from November 1, 2020. In an elaborated notice shared on their darknet site, the gang called an end to its operation saying, ‘This project is now closed.’ However, while in power, Maze ransomware was a frontrunner for innovating unique extortion processes that were used against dozens of organizations including some big names such as LG, Southwire, Cognizant, and Canon.  

It all began with ChaCha ransomware

  • The history of Maze ransomware began in the first half of 2019. Earlier, it was known as ChaCha ransomware. The ransom note included the title ‘0010 System Failure 0010’. 
  • Shortly afterward, the ransomware was modified and renamed Maze. 
  • The infection tactics of the ransomware involved distribution via exploit kits (namely Fallout EK and Spelevo EK), as well as malicious attachments. 
  • Some incidents involved spear-phishing campaigns that installed Cobalt Strike RAT, while in other cases the network breach was the result of exploiting a vulnerable internet-facing service.  
  • At the final stage of intrusion, the operators pilfered victims’ valuable data before encrypting it.

A pioneer in the cybercrime space

  • In November 2019, Maze ransomware became the first ransomware ever to introduce a new extortion tactic to name and shame organizations that denied paying ransoms.
  • The tactic was first used against the security staffing firm, Allied Universal that had almost 700 MB of data and files published on the site.
  • The authors of the ransomware maintained a website where they listed the names of their recent victims and published a partial or full dump of documents exfiltrated from the networks.
  • In addition to this, in June, the gang teamed up with two other threat actor groups, LockBit and RagnarLocker, to form a ransomware cartel. The main intention of the cartel was to share tactics and tips among each other and publish data stolen by groups on the blog maintained by the Maze operators.
  • The cartel, moreover, enabled Maze operators to use obfuscation techniques previously used by RagnarLocker.

How much did the gang make?

  • Though the exact figure is still unknown, it is reported that the gang’s ransom demand reached up to millions of dollars.
  • In one incident, Maze demanded $6 million from one Georgia-based wire and cable manufacturer, while $15 million from another company.

What to expect in the future?

Brett Callow, a ransomware expert at Emsisoft, has presented a broader picture of Maze’s current state by speculating that the gang has possibly made enough money to be able to sail off into the sunset. Looking from the other side, it is also possible that the gang might make a strong comeback with a new brand name to launch more sophisticated attacks.