The Maze cybercrime gang is shutting down its operations that began its operation in may 2019 after rising to become one of the most prominent players performing ransomware attacks.
A double-extortion tactic introduced by Maze to exfilterates the data before encryption
Once encrypted, they demand ransom . If victim fails to pay they publish those data in maze site which started to be in limelight
This double-extortion technique was quickly adopted by other large ransomware operations, including REvil, Clop, DoppelPaymer, who released their own data leak sites. This double-extortion technique has now become a standard tactic used by almost all ransomware operations.
Maze continued to evolve ransomware operations by forming a ransomware cartel with Ragnar Locker and LockBit, to share information and tactics.
During their year and a half cybercrime spree, Maze has been responsible for attacks on notable victims, including Southwire, City of Pensacola, Canon, LG Electronics, Xerox, and many more.
Maze started to shut down six weeks ago
In a similar manner as GandCrab did in 2019.lastly Barnes and Noble ransomware attack.
This threat actor stated that they take part in ransomware attacks by compromising networks and stealing Windows domain credentials. The compromised networks are then passed to affiliates who deploy the ransomware.
Maze has started to remove victims that they had listed on their data leak site. All that is left on the site are two victims and those who previously and had all of their data published.The cleaning up of the data leak site indicates that the ransomware operation’s shutdown is imminent.
It is not uncommon for ransomware operations to release the master decryption keys when they shut down their operation, as was done with Crysis, TeslaCrypt, and Shade.
Maze affiliates have switched over to a new ransomware operation called Egregor which began operating in the middle of September, just as Maze started shutting down their encryption operation.
This is believed to be the same underlying software as both Maze and Sekhmet as they utilize the same ransom notes, similar payment site naming, and share much of the same code.
This was also confirmed by a ransomware threat actor who stated that Maze, Sekhmet, and Egregor were the same software.when a ransomware operation shuts down, it does not mean the threat actors involved retire as well. They just move to the next ransomware operation.