Maze Ransomware Gang Shuts Down Operations

The Maze ransomware gang, which operated one to the most prolific ransomware campaigns over the past 18 months year, has shut down. The Maze ransomware operators were the first to utilize a double-extortion tactic involving the theft of data prior to the encryption of files to increase the likelihood of the ransom being paid.

While all ransomware operations involve the encryption of files and the payment of a ransom in order to obtain the keys to decrypt files, data theft and the threat of publication of stolen data added an extra incentive to pay. Organizations attacked with the ransomware may be able to recover files by restoring them from backups, but highly sensitive data would be published on the group’s leak site if the ransom was not paid. That tactic proved to be extremely successful and has since been adopted by many ransomware operations.

Maze ransomware first appeared in May 2019, with attacks increasing toward the end of the year following the introduction of the double extortion tactic in November. The Maze gang also took the unusual step of issuing press releases about its operations, notably one during the pandemic stating that the group would not be conducting ransomware attacks on healthcare providers involved in the fight against COVID-19.

After an 18-month spree of conducting ransomware attacks, the group started to wind down operations last month and the group’s leak site is now no longer accessible. The shut down of its operation was recently confirmed by BleepingComputer, which was regularly contacted by members of the gang.

While it is good news that the operation has been shut down, that does not mean attacks will stop. The individuals behind the operation are likely to continue to operate using other ransomware variants and the affiliates that worked with the gang will switch to alternate RaaS programs. BleepingComputer reports that at the same time as Maze operations started to shut down, there was a spike in Egregor activity, indicating affiliates had simply switched ransomware variants. Egregor and Maze are very similar ransomware variants, as they share much of the same code and use virtually identical ransom notes and decryptors.

The threat from ransomware is ever present and the shutting down of one operation is unlikely to see overall attacks reduce. The news comes as the gang behind REvil ransomware announced it has generated profits in excess of $100 million in the past year from their attacks on large enterprises. That operation is showing no signs of reducing activity, in fact, along with the announcement they said they are hoping to make $2 billion from their ransomware before they consider shutting down the operation.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of