Threat Actor Profile

Maze

The Maze ransomware group burst onto the scene around May 2019 and quickly became infamous for pioneering the "double-extortion" tactic. This cybercrime group didn't just encrypt their victims' data; they stole it first, threatening to leak sensitive information online if the ransom wasn't paid. This method turned a ransomware incident into a full-blown data breach.

Threat Actor Profile

Maze

Country of Origin

While not officially confirmed, the country of origin is widely believed to be Russia. This assumption is based on the fact that the Maze ransomware code is designed to avoid attacking systems where the language is set to Russian or other languages from former Soviet Union states.

Members

The exact number of members is unknown, but Maze operated as an affiliate network. This means a core group of developers created and maintained the ransomware, while various other criminal groups (affiliates) would carry out the attacks and share the profits. They even formed a "ransomware cartel" with groups like LockBit and RagnarLocker.

Leadership

The leadership structure and specific identities of Maze's operators remain unknown. They operated with a high degree of anonymity, leaving no clear trail to any individuals.

Maze TTPs

Tactics

Maze's primary goal was financial gain through extortion. They maximized pressure on victims by not only holding their systems hostage but also threatening their reputation and business relationships. Their tactic was simple but brutal: pay up, or we expose your secrets to the world.

Techniques

To achieve their goals, Maze operators used a multi-stage approach. They would gain initial access, move laterally across the network to find high-value data, exfiltrate that data to their own servers, and only then deploy the ransomware to encrypt the victim's files. This double-whammy technique made them particularly nasty to deal with.

Procedures

Maze used a variety of procedures to infiltrate networks:

Phishing & Spam: They often started their attacks with malicious emails containing infected Microsoft Word or Excel attachments.
Exploit Kits: Tools like Spelevo and Fallout were used to take advantage of unpatched software vulnerabilities.
RDP Attacks: They exploited weak or stolen Remote Desktop Protocol (RDP) credentials to gain direct access to networks.
Privilege Escalation: Once inside, they used tools like Mimikatz to steal credentials and gain administrator-level control.

Data Exfiltration: They used FTP tools like PowerShell and WinSCP to copy and transfer large amounts of data to their own servers before triggering the encryption.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

One of Maze's most high-profile attacks was against IT services giant Cognizant in April 2020. The attack crippled their internal systems, disrupted services for their clients, and cost the company an estimated $50 to $70 million. Another major hit was on Canon in August 2020, where attackers claimed to have exfiltrated 10TB of data, causing service disruptions and permanent data loss for some users. They also breached Xerox, leaking over 100GB of data to prove their point.

Law Enforcement & Arrests

In November 2020, the Maze group posted a bizarre "press release" announcing they were shutting down their operation. However, law enforcement and cybersecurity experts remain skeptical. Ransomware groups often "rebrand" to evade authorities and continue their activities under a new name. Researchers have noted strong similarities between Maze's code and newer ransomware strains like Egregor and Sekhmet, suggesting the operators are likely still active. To date, no major arrests directly linked to the core Maze group have been publicly announced.

How to Defend Against Maze

Patch Everything: Maze loves unpatched vulnerabilities. Keep your OS, software, and firmware updated.

Secure Credentials: Enforce strong, unique passwords and enable multi-factor authentication (MFA) everywhere, especially for RDP and VPN access.

Train Your Team: Your employees are the first line of defense. Teach them to spot and report phishing emails and suspicious activity.

Adopt a Zero Trust Mindset: Assume no user or device is trustworthy by default. This helps contain threats and prevents lateral movement if an attacker gets in.

The Huntress security platform is built to catch the kind of sneaky behavior Maze and its successors rely on. Our 24/7 ThreatOps team actively hunts for suspicious activities like privilege escalation and lateral movement. We can detect malware that slips past traditional antivirus and isolate infected hosts before a full-blown ransomware deployment happens.

Try Huntress for Free

References

https://www.cloudflare.com/learning/security/ransomware/maze-ransomware/

https://heimdalsecurity.com/blog/maze-ransomware-101/

https://www.akamai.com/glossary/what-is-maze-ransomware

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free