The Maze ransomware gang made news in 2019 when it became the first high-profile hacking group to exfiltrate sensitive files from victims and threaten to publish them if the ransom was not paid. The group has recently contacted select cybersecurity journalists to announce that it is formally winding down its cyber crime operation, having ceased attacking new targets since September.
While this is nominally good news, it’s certainly not the end of Maze-style ransomware and also most likely not the end of the criminal careers of the hackers behind it.
Maze ransomware: A trendsetter that complicated incident response plans
Before Maze began its cyber crime operation in May of 2019, a ransomware attack was a relatively straightforward thing. You could risk paying the ransom demands in return for the keys, something that actually happened with fair frequency given that it was a solid business strategy for hackers. But if you had a regular and robust backup system, you might not need to bother. In either case, one could opt to ignore the attackers with the only fallout being the need to somehow restore the network.
The Maze ransomware added a significant layer of complication. The Maze group would first steal copies of files from targets before encrypting them; not unusual, but Maze added the unique twist of threatening to publish sensitive information on its own website if the ransom was not paid. The cyber crime operation published large amounts of documents filched from Xerox, LG, Southwire, Canon and the city government of Pensacola among other targets that refused to pay up. Maze would often publish tens of gigabytes of these files on its dark web “leak site” Maze News in retaliation for a failure to pay the ransom by a specified deadline. Sensitive information that it published included employee information files, proprietary information about products and internal source code.
A number of groups began copying Maze’s “double extortion technique” approach with their own data leak sites, and it is becoming a fairly common element of ransomware attacks. In addition to setting the blackmail trend, the Maze cyber crime operation also normalized the idea of ransomware gangs doing public relations. The Maze News site published press releases about the group’s various attacks, and the hackers would on occasion reach out to various security journalists to confirm their actions.
Maze seemed to particularly favor communication with Bleeping Computer, and the site reported in October that there was a possibility that Maze would wind down their cyber crime operations in the near future. Maze appears to have confirmed that this month with a series of private messages. As with a number of other large cybercrime gangs of this nature, Maze ransomware is made available in an affiliate system that allows independent threat actors to make use of it for a portion of the proceeds. The Maze ransomware gang has not only ceased to target organizations, but also appears to have advised affiliates that the command and control servers will not be operational for much longer.
Onward to new cyber crime operations?
It is possible that the Maze ransomware group is leaving the world of cyber crime operations for good. One of their contemporaries, GandCrab, voluntarily shut down under similar circumstances last year and claimed in a final communiqué that they had made enough money to pivot to operating legitimate businesses. The Shade group, which had been distributing its ransomware since 2014 and appears to have hit about 750,000 targets worldwide, also closed its doors with a public apology earlier this year.
However, it is more likely that they are simply moving on to new but similar ransomware operations. Some security researchers believe that a good deal of the Maze affiliates have moved on to a similar arrangement with Egregor, which is believed to be a derivative of the Maze ransomware. Coincidentally, this new ransomware threat became very active around mid-September when the rumors about the impending end of the Maze cyber crime operation began. The Egregor and Maze ransomware make use of the same default ransom notes and share a good deal of code.
It is not clear if any members of the core Maze ransomware gang made the jump to running a new affiliate model with Egregor, but the new ransomware offers the former affiliates the opportunity to step right into a very similar operation without much of a disturbance.
Lamar Bailey, senior director of security research at Tripwire, believes that the same actors have simply reorganized under a new brand name: “Criminals don’t just have an epiphany and quit being criminals overnight. They shut down an operation when the return on their investment drops below the costs of running the “program” or when they are about to get caught. This is no different. They are switching to something new, maybe Egregor which miraculously came out at the same time Maze started shutting down. This is just like that one furniture store in town that is going out of business every few months only to reopen with a new name but with the same people and product. Whatever the case may be, Maze has been removing the stolen data from the Maze News site. Other ransomware groups have released their keys to the public after completely shutting down, and the hope is that Maze will do so as well.”