Security researchers learned through an official statement that the digital crime gang MAZE has shut down its Ransomware operations.
Bleeping Computer began hearing rumors of the closure in early September 2020.
In an email conversation, a ransomware attacker told the site that the MAZE gang had stopped encrypting new victims in September 2020 and was trying to force its existing victims to pay their ransoms in anticipation of winding down its operations.
BleepingComputer reported that MAZE was shutting down
After that conversation, Bleeping Computer contacted the MAZE gang to confirm the rumors. The ransomware attackers responded by telling the site to wait for a press release, which was published on November 2, 2020.
It wasn't long before those responsible for Maze began cleaning up their data leak site, removing all but two victims whose data had previously been published in full on the portal.
Meanwhile, Bleeping Computer learned that many affiliates associated with Maze have since moved to Egregor, another ransomware gang that shares code, ransom notes, and payment site naming schemes with Maze and Sekhmet.
MAZE ransomware made headlines in November 2019 when it was the first crypto-malware strain to steal victims' unencrypted data before activating its encryption routine. Since then, numerous other ransomware operations have adopted this technique.
The group initially used exploit kits and spam campaigns to infect its victims, but later began using known security vulnerabilities to specifically target large enterprises. Maze was known for exploiting vulnerable virtual private network (VPN) and remote desktop (RDP) servers to launch targeted attacks against its victims' networks.
Where typical ransomware groups would infect a victim with file-encrypting malware and hold the files for ransom, MAZE first gained notoriety by exfiltrating a victim's data and threatening to publish the stolen files unless the ransom was paid.
It quickly became the preferred tactic of ransomware groups, which set up websites — often on the dark web — to leak files they stole if victims refused to pay.
The Maze gang went on to form an "extortion cartel" in which it shared resources and techniques with some of the attack groups that joined as members.
Some of the ransoms demanded reached into the millions of dollars. Maze reportedly demanded $6 million from a Georgia-based wire and cable manufacturer, and $15 million from an unnamed organization after the group encrypted its network. But after COVID-19 was declared a pandemic in March, MAZE, along with other ransomware groups, pledged not to target hospitals and medical facilities.
Officially Closing Operations, Indefinitely
The announcement came as a statement riddled with spelling errors and published on their dark web site, which over the past year had published large quantities of stolen internal documents and files from the companies it targeted, including Cognizant, cybersecurity insurance firm Chubb, pharmaceutical giant ExecuPharm, Tesla and SpaceX parts supplier Visser, and defense contractor Kimchuk.
A statement by the MAZE ransomware group, claiming the project has been closed and their operations are concluded.
But security experts are not celebrating yet. After all, ransomware gangs remain criminal enterprises, many of which are driven by the profit they obtain from these types of attacks.
"Obviously, Maze's claims should be taken with a very, very small grain of salt," said Brett Callow, a ransomware expert and threat analyst at security firm Emsisoft. "It is certainly possible that the group feels they have made enough money to be able to close up shop and sail off into the sunset. However, it is also possible, and probably more likely, that they have decided to rebrand."
Callow said the apparent dissolution of the group leaves open questions about the Maze group's connections and involvement with other groups. "As Maze was an affiliate operation, it is unlikely that its criminal partners will retire and will instead simply align with another group," he said.
MAZE denied in its statement that it was a "cartel" of ransomware groups, but experts disagree. Steve Ragan, a security researcher at Akamai, said MAZE was known for publishing data from other ransomware groups on its website, such as Ragnar Locker and the LockBit ransomware-for-hire.
"For them to now pretend there was no team or cartel is simply backwards. It is clear that these groups were working together on many levels," said Ragan.
"The downside of this, and the other significant element, is that nothing is going to change — ransomware is still going to be out there," said Ragan. "Criminals are still targeting open access, exposed RDP [remote desktop protocol] and VPN portals, and they keep sending malicious emails with malicious attachments hoping to infect unsuspecting victims on the internet," he said.
Jeremy Kennelly at FireEye's Mandiant Threat Intelligence Unit said that while the Maze brand may be dead, its operators have likely not gone away forever.
"We assess with high confidence that many of the individuals and groups that collaborated to enable the MAZE ransomware service will likely continue participating in similar operations, whether working to support existing ransomware services or supporting novel operations in the future," said Kennelly.
A Perspective on the MAZE Attack Against BCR
On another note, we recall incidents such as the one experienced by BCR following the COVID pandemic, which received extortion messages from MAZE threatening to exfiltrate customer information.
Rodrigo Calvo, CISSP and PCIP, an active member of ISC2, published a detailed article in the November issue of the magazine where he describes that "The stolen data belonged primarily to BCR, but also contained a small percentage from other banks and countries. At risk of public exposure were payment card transactions, cardholder names, primary account numbers (PCI PAN), and a virtual infrastructure report. (see Figure 1)"
https://magazines.isc2.org/pages/2020/2020-11/
It is important to note that during the official communications from the MAZE group: 1) they released credit card information with dates prior to 2018 and 2019, and 2) they shared a list of the bank's assets, dated to 2019, which included some data that was no longer valid at the time of the sensitive data leak. The article also shows a timeline detailing the events.
https://magazines.isc2.org/pages/2020/2020-11/
In an interview, BCR's corporate technology manager detailed that although this semi-outdated information from security and card systems was circulating, the bank was implementing fraud protection measures to protect customers. The security manager explained that instead of compromising them with Ransomware, the MAZE group contacted them via email to extort them and leak the information, which occurred due to the bank's lack of response. You can watch the interview in the following video published by teletica:
Do Not Pay the Ransom — Do Not Finance and Support Criminals
The FBI itself does not advocate paying a ransom, in part because it does not guarantee that an organization will recover access to its data. In some cases, victims who paid a ransom were never provided with decryption keys. Additionally, due to flaws in the encryption algorithms of certain malware variants, victims may be unable to recover some or all of their data even with a valid decryption key.
Furthermore, doing so — or sharing information that supports criminal groups — gives these groups more power and financing, which reinforces this practice and encourages them to continue it. We therefore recommend not making comments that favor criminal groups. Instilling fear, especially in a financial organization such as a bank, can harm the organization and gives the criminal group leverage to push their extortion tactics and achieve their goals.
Let us remain ethical, with good values and security practices to improve not only as a community but as a country, so that more criminal groups like MAZE continue shutting down operations indefinitely due to a lack of power and control over organizations and individuals. We hope this is one more chapter that closes and does not reopen — for the good of the businesses, the community, and the people who have been affected by them.
Sources: Bleepingcomputer, ISC2, Rodrigo Calvo, Tripwire, techcrunch
Leave a Comment
Comments are reviewed before publishing.