Maze ransomware shuts down operations, denies creating cartel

​The infamous Maze ransomware gang announced today that they have officially closed down their ransomware operation and will no longer be leaking new companies' data on their site.

Last week, BleepingComputer reported that Maze had stopped encrypting new victims since the middle of September, cleaned up their data leak site, and was extorting their final victims.

Today, Maze released a press release titled "The Project is closed," where they state that they are closed and any other ransomware operation that uses its name is a scam.

In this announcement, Maze states that victims can contact them to remove private information from their data leak site, but according to Coveware, they will still require payment to do so.

"Perhaps Maze was intentionally vague, or perhaps this was lost in translation, but the 'press release's' statement about removing the data of victims that did not pay, is NOT an offer to have that data removed for free. It is an invitation back to the negotiation table for one last round.  We don't advise any companies that were victims of Maze contact them based on the statements Maze has made. We do not credibly believe that Maze or any other Ransomware group ever fully deletes the data stolen from victims, even if they choose to pay (which we don't advise they do)," Coveware CEO Bill Siegel told BleepingComputer.

BleepingComputer has asked Maze if they would be willing to release the master decryption keys when they close their support site like was done with Crysis, TeslaCrypt, and Shade.  We have not received a response to this question.

Maze Ransomware rose to prominence in November 2019, when they stole unencrypted files and then publicly released them after a victim did not pay. Soon after, other ransomware operations began copying this double-extortion strategy, which has now become commonplace for almost all ransomware operations.

Maze is known for attacking well-known and large organizations such as Southwire, City of Pensacola, Canon, LG Electronics, and Xerox.

Threat actors have told BleepingComputer that some of the Maze affiliates have moved to a new ransomware operation called Egregor, who recently attacked Crytek, Ubisoft, and Barnes and Noble.

Egregor, Maze, and another ransomware called Sekhmet, are believed to be created from the same software.

Maze denies having formed a cartel

In June 2020, it was noticed that the Maze group had added information about a victim from a different ransomware operation called LockBit.

To learn more about this collaboration between Maze and LockBit, BleepingComputer contacted the ransomware operators and was told that they are now collaborating with other groups to share information and experiences.

"In a few days another group will emerge on our news website, we all see in this cooperation the way leading to mutual beneficial outcome, for both actor groups and companies."

"Even more, they use not only our platform to post the data of companies, but also our experience and reputation, building the beneficial and solid future. We treat other groups as our partners, not as our competitors. Organizational questions is behind every successful business," Maze told BleepingComputer.

After learning of this, BleepingComputer called their new collaboration a 'Ransomware Cartel,' which the Maze operators quickly adopted as shown by a screenshot of data leaked on the 'Maze News Site.'

In today's post, Maze states that this is all a fabrication, and that 'Maze Cartel only existed inside the heads of journalists who wrote about it.'

To what extent this "Maze Cartel" existed and the collaboration between its members is unknown.

Update 11/3/20: Added note that Maze requires companies to pay a fee to remove data from leak site.