Maze

​The infamous Maze ransomware gang announced today that they have officially closed down their ransomware operation and will no longer be leaking new companies' data on their site.

Last week, BleepingComputer reported that Maze had stopped encrypting new victims since the middle of September, cleaned up their data leak site, and was extorting their final victims.

Today, Maze released a press release titled "The Project is closed," where they state that they are closed and any other ransomware operation that uses its name is a scam.

"Maze Team Project is announcing it is officially closed.
All the links to out project, using of our brand, our work methods should be considered to be a scam.

We never had partners or official successors. Our specialists do not works with any other software. Nobody and never will be able to host new partners at our news website. The Maze cartel was never exists and is not existing now. It can be found only inside the heads of the journalists who wrote about it."

Maze announcing shutdown
Maze announcing shutdown

In this announcement, Maze states that victims can contact them to remove private information from their data leak site, but according to Coveware, they will still require payment to do so.

"Perhaps Maze was intentionally vague, or perhaps this was lost in translation, but the 'press release's' statement about removing the data of victims that did not pay, is NOT an offer to have that data removed for free. It is an invitation back to the negotiation table for one last round.  We don't advise any companies that were victims of Maze contact them based on the statements Maze has made. We do not credibly believe that Maze or any other Ransomware group ever fully deletes the data stolen from victims, even if they choose to pay (which we don't advise they do)," Coveware CEO Bill Siegel told BleepingComputer.

BleepingComputer has asked Maze if they would be willing to release the master decryption keys when they close their support site like was done with CrysisTeslaCrypt, and Shade.  We have not received a response to this question.

Maze Ransomware rose to prominence in November 2019, when they stole unencrypted files and then publicly released them after a victim did not pay. Soon after, other ransomware operations began copying this double-extortion strategy, which has now become commonplace for almost all ransomware operations.

Maze is known for attacking well-known and large organizations such as SouthwireCity of PensacolaCanonLG Electronics, and Xerox.

Threat actors have told BleepingComputer that some of the Maze affiliates have moved to a new ransomware operation called Egregor, who recently attacked Crytek, Ubisoft, and Barnes and Noble.

Egregor, Maze, and another ransomware called Sekhmet, are believed to be created from the same software.

Maze denies having formed a cartel

In June 2020, it was noticed that the Maze group had added information about a victim from a different ransomware operation called LockBit.

Lockbit info on Maze site
Lockbit info on Maze site

To learn more about this collaboration between Maze and LockBit, BleepingComputer contacted the ransomware operators and was told that they are now collaborating with other groups to share information and experiences.

"In a few days another group will emerge on our news website, we all see in this cooperation the way leading to mutual beneficial outcome, for both actor groups and companies."

"Even more, they use not only our platform to post the data of companies, but also our experience and reputation, building the beneficial and solid future. We treat other groups as our partners, not as our competitors. Organizational questions is behind every successful business," Maze told BleepingComputer.

After learning of this, BleepingComputer called their new collaboration a 'Ransomware Cartel,' which the Maze operators quickly adopted as shown by a screenshot of data leaked on the 'Maze News Site.'

Maze Cartel posting Ragnar Locker data
Maze Cartel posting Ragnar Locker data

In today's post, Maze states that this is all a fabrication, and that 'Maze Cartel only existed inside the heads of journalists who wrote about it.'

To what extent this "Maze Cartel" existed and the collaboration between its members is unknown.

Update 11/3/20: Added note that Maze requires companies to pay a fee to remove data from leak site.

Related Articles:

Hessen Consumer Center says systems encrypted by ransomware

Johnson Controls says ransomware attack cost $27 million, data stolen

Fidelity National Financial: Hackers stole data of 1.3 million people

US mortgage lender loanDepot confirms ransomware attack

BlackCat ransomware shuts down in exit scam, blames the "feds"