Maze, a Notorious Ransomware Group, Says It's Shutting Down

One of the most active and notorious data-stealing ransomware groups, Maze, says it is "officially closed." From a report: The announcement came as a waffling statement, riddled with spelling mistakes, and published on its website on the dark web, which for the past year has published vast troves of stolen internal documents and files from the companies it targeted, including Cognizant, cybersecurity insurance firm Chubb, pharmaceutical giant ExecuPharm, Tesla and SpaceX parts supplier Visser, and defense contractor Kimchuk. Where typical ransomware groups would infect a victim with file-encrypting malware and hold the files for a ransom, Maze gained its notoriety for first exfiltrating a victim's data and threatening to publish the stolen files unless the ransom was paid. It quickly became the preferred tactic of ransomware groups, which set up websites -- often on the dark web -- to leak the files it stole if the victim refused to pay up. Maze initially used exploit kits and spam campaigns to infect its victims, but later began using known security vulnerabilities to specifically target big name companies. Maze was known to use vulnerable virtual private network (VPN) and remote desktop (RDP) servers to launch targeted attacks against its victim's network. Some of the demanded ransoms reached into the millions of dollars.

So the one-headed hydra becomes many.

[Mal-2]

Just because the collective known as The Maze shuts down, that doesn't mean even a single member intends to discontinue their activities. It just means the group will splinter into smaller factions, which may or may not be aligned. (If they all got along, they wouldn't be breaking up.)

Re:

[ShanghaiBill]

It is likely that Maze isn't a "group" at all. A single perpetrator will often publicly portray themself as the leader of a nonexistent "organization" to either boost their ego or to misinform law enforcement. The Unabomber did this.

It is not like there is a Facebook group for criminal masterminds where they can meet up and organize.

Sure there is. And the funny thing about it

[raymorris]

There are several forums where such people meet up and organize.

The funny thing about that, most of the members implicitly assume that if you've been a member of the forum for several years, they can trust you, at least to some degree. So a white-hat security professional who started joining these forums around 1998 might be one of their most trusted members. Simply because they've been there a long time, everyone "knows them".

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Nidi62]

Just because the collective known as The Maze shuts down, that doesn't mean even a single member intends to discontinue their activities. It just means the group will splinter into smaller factions, which may or may not be aligned. (If they all got along, they wouldn't be breaking up.)

Looks like another group called Egregor (which uses the same software) started spinning up around the same time Maze started winding down. Maybe just like how whenever a new crop of UI people come into a company they have to redo everything, whichever state-sponsored group this is (looking at you, NK) got a new batch of draftees and wants to make their own mark.

Why?

[daniel23]

Could it be a lone case of "got enough out of it, time to finish while we're still free?"

Feeling the heat ?

[dargaud]

They must have had some close calls. Well, until some of those ransomware members aren't found out and publicly quartered^H^H^H strung up with barbed wire around the neck^H^H^H taken out by a Tomahawk missle... things aren't gonna change. But make a few very public and gross executions and it's gonna change.

Re:

[EvilSS]

I suspect it was a case of the juice not being worth the squeeze, at least with their current model. I've been monitoring their site since one my customers got hit by it. It looks like a lot of the bigger victims didn't pay. Now they don't post if they pay right away, only if they delay then they start posting the company's data a bit at a time to entice them. I suspect they are not shutting down so much as focusing on those victims who pay up out of the gate and going dark to staying more out of the public

Re:

[Registered Coward v2]

Could it be a lone case of "got enough out of it, time to finish while we're still free?"

My thoughts as well. Given the heightened involvement of government agencies with huge resources that are directing them against hacking, they may have decided to get out while the getting good and not risk losing everything. It’s also possible some government offered them protection in exchange for their knowledge and skills; given the increased realization that cyber skills are a cheap way to attack powerful adversaries and a force multiplier.

Shutting down.... to open a referrer-based one

[Sebby]

Seen this before, where they "shut down", only to rework their operation to have affiliate-based operation to limit their exposure (and shift it to the referrals instead).

Re:

[Pascoea]

Referrals? As in an "I don't like my company, give me a cut and I'll let you in." kinda thing?

Re:

[Zocalo]

"Affiliate" as in a Multi-Level Marketing (MLM) style model. Maze, or former members thereof, sell/rent access to their code (and maybe access to pre-baked C&C servers as well) on the DarkWeb, script kiddies etc. then run the actual malware campaigns and take the legal heat if/when they fail to grok OpSec. Several malware and ransomware operations have already taken this approach, so it's not a new approach, and generally makes the game of whack-a-mole much harder as they'll each have up with their own

Re:

[Pascoea]

Ah. Thanks for the clarification. Not a bad business plan. The "selling shovels to gold miners" approach. The only one getting rich is the person selling shovels.

So if they shut down...

[mark-t]

... then their malware will end up directing people to deposit funds in a digital wallet for which they shall receive no decryption key.

People will start to realize that paying out ransoms is stupid because it does not offer any guarantee that you can recover your data, and will be forced to have some policies in place to mitigate such an occurence in the future.

Yeah, we're closed.

[grep -v '.*' *]

Closed. CLOSED, I said. Go away, you bother me.

Oh, you know the secret knock? Well come on it then, why didn't you say so; quit wasting time.

I agree with the previous poster -- they broke up and went their own way, so now some other groups will gain more firepower. "Closed" doesn't mean loss of all resources, just that this particular branding has lost most of its clout.

Not really

[campuscodi]

They just rebranded as Egregor

Why mention it this way?

[sentiblue]

including Cognizant, cybersecurity insurance firm Chubb, pharmaceutical giant ExecuPharm, Tesla and SpaceX parts supplier Visser, and defense contractor Kimchuk

If you read carefully, you'll see that Visser is a hack victim and not Tesla nor SpaceX. But whoever wrote this, deliberately put Tesla and SpaceX into the same sentence. If someone is reading too fast they will think those two companies are among the victims. So I wanna ask: What's the purpose of doing this?