2 min

Maze, one of the most active and well-known ransomware groups, has said that it is officially shutting down. The announcement was in the form of a statement that was full of spelling mistakes and published on Maze’s website.

For the past year, Maze has been publishing massive amounts of stolen internal documents from companies it attacked. They include Cognizant, Chubb (the cybersecurity firm), ExecuPharm (the pharma giant), Tesla, and SpaceX’s parts supplier Visser and Kimchuk (the defence contractor).

While ransomware groups typically infect a machine with file-encrypting malware and ask for ransoms before giving out the key to decrypt them, Maze became well-known for exfiltrating the data and threatening to publish the documents unless they got paid.

Charting a course

Pretty soon, other ransomware groups saw how well this worked and started using the same data exfiltration tactic. They would set up a website on the dark web and leak the stolen files if the victim did not pay.

Maze used exploit kits and spam campaigns when they began operations. However, they soon started using known security vulnerabilities to target big companies.

Maze’s signature was that they used virtual private networks and remote desktop servers to launch their attacks on victims’ networks. Some of the demanded ransoms were in the millions of dollars.

The Maze paydays

Maze once demanded $6 million from a Georgia-based wire and cable manufacturer and $15 million from an unnamed organization, where they encrypted an entire network. Then the pandemic started, and Maze, among other ransomware groups, promised that they would not attack hospitals and medical facilities.

But security experts are not confident that ransomware groups will keep their word. After all, they are criminals with the primary motivation driven by profit. That is why Maze’s announcement should be taken with a grain of salt.