The Maze hacking gang that began operating in May of 2019 is thought to be shutting down its operations. The media-savvy operation revolutionized ransomware attacks with their invention of a double-extortion tactic. Initially, they steal your files, then later encrypt them. In addition, Maze publicly displays the files of victims that fail to pay ransoms on a public leak site.
Double-extortion was eventually adopted by other large ransomware operations, including REvil, Clop and DoppelPaymer, who also created their data leak sites. Double-extortion has now become a standard tactic used by almost all ransomware hacking groups.
Maze also formed a ransomware cartel with Ragnar Locker and LockBit, to share information and techniques. During their year and a half long terror spree, Maze was responsible for attacks on victims, including Southwire, City of Pensacola, Canon, LG Electronics, Xerox, and many more.
Maze Started to Shut Down in Fall of 2020
According to reports, Maze was set to shut down operations in a similar manner as GandCrab did in 2019. Although some news sites attempted to confirm if they were in fact shutting down, the gang replied to these outlets, “You should wait for the press release.”
In late 2020, Maze started to remove information from the victims listed on their data leak site. The cleaning up of the data leak site may indicate that the hacking operation’s shutdown is imminent.
Affiliates Move to Egregor Ransomware
According to reports, many of Maze’s affiliates have switched over to a new ransomware operation called Egregor. Egregor began operation in mid-September 2020, just as the Maze gang started shutting down their encryption operation. It has quickly become very active and is believed to be the same underlying software as both Maze and Sekhmet, because they use the same ransom notes, similar payment site naming, and share much of the same code. One hacker even went as far as to confirm that Maze, Sekhmet, and Egregor were the same software.
Unfortunately for potential victims, this proves that even when a ransomware operation shuts down, it does not mean the hackers ride off into the sunset and retire; they just move to the next ransomware operation.
If you are still having trouble, consider contacting remote technical support options.
