Just like other ransomware groups have done in the past, the Maze cybercrime gang has announced that it will cease operations after only being active for a year and a half. The group began deploying their ransomware in May of last year, but became more active in November when Maze ransomware operators devised a double extortion tactic to ensure their ransom demands were met. As BleepingComputer reported, Maze contacted the news outlet after stealing unencrypted data from Allied Universal. The group threatened to publicly release the data if the ransom was not paid, and when that happened, they set up a new site called Maze News that they used to post victim data and issue press releases. . Maze's double extortion technique was popular with other cybercriminals, and for this reason, other ransomware operations such as REvil, Clop, and DoppelPaymer created their own data breach sites. Maze then formed a ransomware syndicate with Ragnar Locker and LockBit to trade tactics and information.
Closed maze
In the year and a half of Maze's operations, the group was able to successfully attack a number of large organizations and cities, including Southwire, the City of Pensacola, Canon, LG, Xerox, and others. Rumors that Maze was preparing to shut down just like GandCrab last year began spreading online last month and the news was confirmed when a threatening actor contacted BleepingComputer. They told the outlet that Maze was in the process of shutting down operations and that the group stopped encrypting new victims in September. Maze has now begun removing victims from its Maze News site with only two victims and details of those who have failed to pay the group's ransom demands remaining on the site. While Maze's shutdown is good news for the cybersecurity community and organizations that could be targeted, it's not yet clear if the group will release master decryption keys for its ransomware. Crysis, TelsaCrypt, and Shade did this when stopped, so it's possible Maze could follow suit by dropping her keys. Unfortunately, when one ransomware group quits, another will rise up to take its place and apparently many Maze affiliates have already switched to a new ransomware operation called Egregor. Egregor is believed to be using the same underlying software as Maze along with the same ransom notes, a similar payment site, and much of the same code. Via BleepingComputer