Skip to main content

One of the world's most notorious ransomware teams is shutting down

cybercriminal
(Image credit: Pixabay)

Just as other ransomware groups have done in the past, the Maze cybercrime gang has announced that it will shut down its operations after only being active for a year and a half.

The group started deploying its ransomware in May of last year but it became more active in November when the operators of the Maze ransomware came up with a double-extortion tactic to ensure its ransom demands were met.

As reported by BleepingComputer, Maze reached out to the news outlet after stealing the unencrypted data of Allied Universal. The group threatened to publicly release the data if the ransom wasn't paid and when that happened, it created a new site called Maze News which it used to publish victims' data and issue press releases.

Maze's double-extortion technique was popular among other cybercriminals and for this reason other ransomware operations such as REvil, Clop and DoppelPaymer created their own data leak sites. Maze then went on to form a ransomware syndicate with Ragnar Locker and LockBit in order to exchange tactics and information.

Maze shut down

During the year and a half that Maze was in operation, the group managed to successfully attack a number of large organizations and cities including Southwire, the City of Pensacola, Canon, LG, Xerox and others.

Rumors that Maze was preparing to shut down just as GandCrab did last year began spreading online last month and the news was confirmed when a threat actor reached out to BleepingComputer. They told the news outlet that Maze was in the process of shutting down its operations and that the group had stopped encrypting new victims in September.

Maze has now begun removing victims from its Maze News site and only two victims along with the data of those who failed to pay the group's ransom demands remain on the site.

While Maze's shut down is good news for the cybersecurity community and organizations that could be targeted, it is still unclear as to whether or not the group will release the master decryption keys for its ransomware. Crysis, TelsaCrypt and Shade all did so when they shut down so it is possible that Maze could follow suit by releasing its keys.

Unfortunately though, when a ransomware group steps down, another will rise to fill its place and apparently many Maze affiliates have already switched over to a new ransomware operation called Egregor. It is believed that Egregor uses the same underlying software as Maze as well as the same ransom notes, a similar payment site and much of the same code.

Via BleepingComputer