The Maze gang is ending its activities after it managed to become one of the most important players in the market that carry out ransomware attacks. The ransomware Maze started operating in May 2019, but became more active in November of the same year.
The company revolutionized ransomware attacks by introducing a double blackmail tactic.
First, they steal your files and then encrypt them
While ransomware companies, for the most part, tend to ignore the emails of journalists. That changed in November 2019, when the Maze team contacted BleepingComputer to let them know they had stolen the data of Allied Universal.
Maze's team said that if Allied did not pay the ransom, their data would be made public. Eventually, the ransom was not paid and Maze released the stolen data.
This double blackmail technique was quickly adopted by other major ransomware features, including REvil, Clop, DoppelPaymer, who launched their own data leak websites. This double blackmail technique has now become a standard tactic used by almost all ransomware groups.
The Maze team continued to develop ransomware functions by forming a cartel with the Ragnar Locker and LockBit teams to share information and tactics.
During the year and a half it has been operating, Maze has been responsible for attacks on very important companies, including Southwire, City of Pensacola, Canon, LG Electronics, Xerox and many more.
The Maze stopped about six weeks ago
Earlier last month, BleepingComputer began to hear rumors that Maze's team was preparing to close mode of ransomware in a similar way as the GandCrab team did in 2019.
The closure was later confirmed after BleepingComputer contacted an attacker who took part in the attack on "Barnes and noble".
The Maze team is in the process of shutting down, has stopped encrypting new victims since September 2020 and is trying to force its latest victims to pay the ransom.
Partners move to ransomware Egregor
BleepingComputer has learned that many Maze associates have switched to a new ransomware group called Egregor.
The Egregor team started operating in mid-September and quickly became quite well known.
Egregor ransomware is believed to be similar to Maze and Sekhmet in that they use the same "ransom notes", a similar payment site name, and share much of the same code.
This was also confirmed by one hacker who stated that Maze, Sekhmet and Egregor were the same software.
Unfortunately, this shows that even when a ransomware business is terminated, it does not mean that the people involved threatening factors withdraw. They just move to another team / business.