Maze— a high profile ransomware gang in the cybercriminal world— now claims they’ve ceased to exist. The hacker group famed for their double extortion of Allied Universal (requested ransom of 2.3 million USD) and disruption operations for American tax advisory BST & Co posted a press release on their website Nov 1st, 2020 announcing an end to operations. 

The group made headlines with over 70 incidents since the start of 2020 and in Q2 led our profile of high threat hacker groups— Maze, DoppelPaymer, and Sodinokibi made up 80% of our alerts related to ransomware dump sites. As they occupied so many of our thoughts, we offer some words of remembrance:


Maze ransomware group was first identified in May 2019 as a highly active team of operators in North America and Europe. They were non-discriminatory in their victims and targeted a wide range of sectors in North America and Europe from the US’s largest cable and wire manufacturer (Southwire) to a Parisian hotel catering to Eiffel Tower visitors (Auteeuil Tour Eiifel). 

Maze created a unique double extortion model where they would capture a target’s sensitive data using exploit kits, often in the form of spear-phishing emails to company employees. They were notable for their successful impersonation of government agencies such as the “Italian Revenue Agency” and other false American and German authorities. After extracting data, they would encrypt it and request a large sum of money in exchange for not publicly posting it on their website “Maze News”.

The encryption aspect of this is not too special— virtually all ransomware groups encrypt the files they steal and request a ransom for companies to recover those files. Maze was initially called “Chacha” within the security community as they used the popular Chacha cipher to encrypt the files and data that they stole. 

The “Maze News” site or “name and shame” game they created was unique. Their website boasted on its posting board, 

“Represented here companies do not wish to cooperate with us and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!” 

Maze would coerce companies to pay millions in bitcoin to avoid exposure on the dark web, and this tactic has since been copied by other hacker/ransomware groups such as Sodinokibi, DoppelPaymer, and Nemty.


Maze will not only be remembered for their creativity, but also for their willingness to lend a helping hand to other cybercriminals. They were known collaborators with the operators of both “LockBit” ransomware and “Ragnar Locker” ransomware. Digital Shadows (now ReliaQuest) researchers found Ragnar Locker data leaks being hosted on the Maze News website in June 2020 in addition to Maze’s own stolen content.

In addition to being a platform for other ransomware groups, Maze was known to be a mentor within the cybercriminal community, sharing their tactics, techniques, and procedures with other hacker groups since they began operations in May 2019.


Maze lived by the mission that they existed to show the world the weaknesses of digital security and to warn individuals, companies, and countries that cybercriminals could cause significant damage without correction.

In their press release, Maze referred to their victim companies as their “clients”. Their “client fees” for exploiting the company’s cybersecurity weaknesses, however, amounted to millions of dollars in bitcoin and much financial gain for the ransomware group.

Aside from the Maze News board, where companies’ data was released to the public, Maze kindly offered the Maze Support page, where “clients” could pay their “client fees” or chat to a member of the Maze team.

In the case of non-paying companies, Maze didn’t always dump their data online. In sparing the City of Pensacola, Florida, a Maze representative wrote:

“We are going to make a gift to City of Pensacola: we will not publish leaked private data, but we publish the list of leak data and hosts to proof, that we did it, we really hacked City of Pensacola.”

Another display of their claimed benevolence was in mid-March 2020 when Maze operators stated they would halt activity against all medical organizations until the end of the COVID-19 pandemic. They did, however, publish data stolen from the drug testing firm Hammersmith Medicines Research Ltd (HMR) in April. This was somewhat living by their word as HMR data was stolen and encrypted prior to that announcement.


While we don’t know why Maze officially ceased operations, we do know the threat from ransomware still exists. An excerpt from their official press release says:

“If you are taking the responsibility for other people’s money and personal data, then try to keep it secure. Until you do that there will be more projects like Maze to remind you about secure data storage.”

It’s possible the oversaturation of the ransomware market motivated their exit— similar to GandCab’s exit in 2019. And it’s still very likely another variant group will emerge to take Maze’s place; some operators have reportedly moved to the Egregor ransomware variant.

Finally, Maze could potentially rise from the grave, the press release contained the closing comment:

We will be back to you when the world will be transformed. We will return to show you again the errors and mistakes and to get you out of the Maze.”.

NEXT STEPS WITH Digital Shadows (now ReliaQuest)…


Tracking ransomware groups, tactics, and trends can be daunting, and it’s easy to get buried in all the information out there.

Looking to keep updated on threat actor activity as well as gain actionable insights from ransomware trends?  SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) presents threat intelligence and assesses the risk certain actors pose to your industry, company, and assets. Look here for a trial of our product SearchLight.

Alerts tracking Maze
Alerts tracking Maze’s most recent incidents Sep 21-Nov 2nd, 2020 in SearchLight

If you’re a Digital Shadows (now ReliaQuest) client, you’ll be able to use this search term to set up alerts on new instances of data dumps on ransomware sites: ransomware dumps