A year after coming to prominence with one of the first high-profile double extortion ransomware attacks on facilities services supplier Allied Universal, the Maze ransomware gang appears to be shutting down its activities.
Rumours of the shutdown had been circulating in the security community for some time before being confirmed by the operators of Maze in a lengthy and somewhat bizarre screed on 1 November 2020.
“Maze Team Project is announcing it is officially closed,” the group said. “All the links to out [sic] project, using of our brand, our work methods should be considered to be a scam.”
The Maze gang went on to say it had no partners or official successors, and appeared to confirm that the news website to which it posted details and leaked data from its various attacks would not be updated going forward, although anybody who wants their private data removed from it can apparently contact Maze’s ‘support chat’ for the next month or so.
“The Maze cartel was never exists and is not existing now. It can be found only inside the heads of the journalists who wrote about it,” the group said.
The group went on to attempt to address what they described as rumours, lies and speculation about Maze. They said they had set up their project because the world is sinking into recklessness, indifference, laziness and stupidity, and that until organisations take responsibility for cyber security, more groups like it will “remind you about secure data storage”.
Maze also appeared to claim that they had, at some stage, access to IT systems at the New York state government and a number of internet service providers (ISPs) with “disgusting” security, and said they could have attacked these targets but chose not to.
The Maze gang appears to believe that their year-long cyber crime spree was merely a demonstration of lax cyber security hygiene at their targets, and that such organisations would one day be attacked by “radical psychos” who wanted to cause actual damage – ignoring the damage and disruption they have themselves caused.
Maze’s release, some of the stranger parts of which have been posted by security analyst Graham Cluley, goes on to rail against the concentration of cryptocurrency assets in the hands of a few wealthy people, and to warn against delegating too much control over daily life to digital technologies, warning of a future “digital detention camp”.
The double extortion tactics pioneered by the Maze gang – in which ransomware operators not only encrypt their victims’ data but steal and leak it to the public as well – have spread far and wide among the gang’s peers, being adopted by the operators of ReVIL/Sodinokibi and Avaddon, among others.
The Maze gang was also heavily invested in creating a cartel of affiliate groups with which it worked and shared attack techniques and expertise – this network included the likes of LockBit, RagnarLocker and SunCrypt.
However, as previously seen in the cyber criminal underworld – notably in the case of GandCrab, whose operators ‘quit’ in May 2019 only to reemerge running ReVIL/Sodinokibi – it is thought highly likely that the Maze gang’s ‘retirement’ is a sign that they are moving on to other projects.
Already, similarities between Maze and two newly emergent ransomwares known as Egregor and Sekhmet have been observed, provided a strong indication that the group is merely retooling for a new wave of cyber attacks.