Maze Ransomware Shuts Down Operations After Recent Ransomware Attacks

On November 1, 2020, the Maze ransomware operators announced on their website that they are shutting down their ransomware operations. The news of the shutdown appeared shortly after United States government officials warned the public about Ryuk ransomware attacks on hospitals and other healthcare providers. Since mid-September, the Maze team slowly tapered off publishing stolen data to their website, suggesting the actors were taking a break from distributing recent ransomware attacks, publishing stolen data, or updating the malware to handle more capabilities and functions. While the announcement indicated that Maze does not have any successors, and the so-called Maze Cartel never existed, it is rumored that affiliates of Maze are reportedly joining the Egregor ransomware operations. These rumors suggest that the group is merely shifting its operations elsewhere. ZeroFox Alpha Team assesses a trend of ransomware gang consolidation likely to play out over the next year. Consolidation offers the chance for ransomware gang members to cash out or pursue better opportunities at larger operations. These larger operations will likely have a better Ransomware-as-a-Service (RaaS) affiliate model or require more vetting to join. 

Details on the Operations Shut Down

On November 1, 2020, the Maze ransomware operators announced that they have completely shut down their website and attempted to dispel rumors that the "Maze Cartel" ever existed, at the same time warning that any future links to their operations would be considered a scam. The official announcement also indicated that Maze’s operations were merely a demonstration of lax cyber security practices, reminding organizations to stay secure when handling clients' personal and financial data (Figure 1).  

Since the beginning of its almost year-long operation, Maze ransomware posed a serious threat to organizations and individuals. First discovered in late 2019 as the ChaCha ransomware, Maze initially infected victims through exploit kits and phishing campaigns before utilizing vulnerable software, such as remote desktop protocol (RDP) exploits, to distribute the malware. Most notably, Maze pioneered the use of novel extortion tactics in which it threatened to publish victims' information (or partially published such data) if they chose not to comply with the ransom demands. Such tactics have since been adopted by other ransomware families, such as Sodinokibi, Conti, Ragnar Locker, and SunCrypt and completely altered the ransomware threat landscape, making it more difficult for ransomware victims to recover from an attack. 

2020 Recent Ransomware Attacks Conducted by Maze

Thus far in 2020, Maze has published stolen data from over 300 successful infections on its dedicated website. In March 2020, in light of the COVID-19 pandemic, several ransomware groups, including Maze, vowed not to target healthcare organizations  until the pandemic was over. In light of the shutdown of Maze’s operations, its affiliates are reportedly joining the Egregor ransomware operations. Egregor emerged in September 2020, and is allegedly based on the Sekhmet ransomware.

How Maze Ransomware Attacks Work

The Maze ransomware targets machines running Windows environments and is spread through infection vectors like exploited RDP endpoints, phishing emails, and exploit kits. In general, when Maze runs on a Windows machine, the malware will attempt to establish communication with a command and control location while encrypting all files on the machine using RSA-2048 encryption. Once the encryption process completes, the victim is presented with a ransom note containing instructions on how to contact the ransomware actors to pay the ransom demands. A screenshot of the Maze ransom note is displayed in Figure 2.

Maze Cartel Partnerships to Conduct Recent Ransomware Attacks

In June 2020, the Maze team reportedly introduced a partnership program with other ransomware teams to publish stolen information from recent ransomware attacks dubbed the "Maze Cartel." The groups included within this program were LockBit ransomware, Ragnar Locker ransomware, and later SunCrypt ransomware. The launch of such a partnership suggested that these ransomware groups could potentially increase profits from their attacks by working with the Maze team, who had established their ransomware as a prominent and sophisticated threat. In August 2020 security journalists interviewed members of the SunCrypt ransomware who claimed they joined the Maze Cartel because Maze operators allegedly could not handle the volume of victim extortions and needed assistance from other actors, indicating that they shared revenue from successful infections with Maze. However, according to the recent announcement by Maze, the Maze Cartel never existed claiming it was created by journalists who wrote about it.

Why Did Maze Shut Down Operations?

Since September, Maze has been removing victim lists from their website and closing their operations. There could be a number of factors going into their decision to close. With the security community and the news cycle being hyper-focused on recent ransomware attacks, this could be an opportune time for some operators to jump ship with their earnings. According to Maze, some of their operators moved to other ransomware gangs. 

A recent video emerged where an alleged member of the REvil gang was interviewed by a Youtube channel.

In the video, the REvil member tells the interviewer that they have noticed the increased attention from the media and the security researcher community. In response, they have created a more thorough vetting process for members, asking questions only a native from a Commonwealth of Independent States (CIS) country would know, for instance. Alpha Team has also observed potential recruiters for these gangs on vetted cybercrime forums setting up interviews based on toolsets used extensively by these gangs. They are also cognizant that law enforcement officials and security researchers are trying to infiltrate their group to collect information.

If this interviewer indeed found a member of the REvil gang, it has given valuable insight into the modus operandi of the REvil gang as well as other ransomware gangs. Maze most likely shares the same paranoia that REvil has, due to their common threat models.

Recommendations to Protect Your Organization Against Recent Ransomware Attacks

Ransomware attacks target organizations of all sizes and industries. ZeroFox recommends keeping your security systems up to date with the latest detections in order to proactively respond to potential attacks. Maintaining secure backups of all business-critical information is important should an attack occur. Finally, create a robust network segmentation to help prevent lateral movement of hackers between business units.  While Maze may be shutting down operations, it’s clear that these types of attacks are ongoing, requiring security teams to remain vigilant in their detection and mitigation efforts.