Maze Ransomware

Malware updated 18 days ago (2024-11-29T14:26:15.069Z)

Download STIX

Preview STIX

Maze ransomware is a type of malware that emerged in 2019, employing a double extortion tactic to wreak havoc on its victims. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. The first public reports of such double extortion ransomware surfaced from diverse criminal organizations, including the REvil ransomware gang and the Maze ransomware group TA2102. In the same year, ransomware leak sites appeared, with Maze ransomware being one of the first to use this strategy. One notable breach was against Allied Universal, whose stolen data was subsequently leaked. In 2020, IBM Security X-Force observed an increase in Maze ransomware attacks, accounting for 12% of the ransomware attacks recorded during the year. Prominent among these was an attack on Xerox Corporation, where the Maze Ransomware group claimed to have stolen approximately 100GB of data. Following the attack, Xerox worked with third-party cybersecurity experts to conduct a thorough investigation and took necessary steps to further secure their IT environment. However, despite these efforts, the Maze ransomware gang published 25.8 GB of Xerox's data. To combat the threat posed by Maze ransomware, tools like the decryption tool provided by Emsisoft are available. However, the average ransom demanded by the now-defunct Maze ransomware group from a single victim in 2020 was reportedly $4.8 million, indicating the high cost of these attacks. Under the RaaS (Ransomware as a Service) model, various threat groups are delivering Maze ransomware to organizations, creating a wide variety of tactics, techniques, and procedures associated with Maze ransomware. The Sangria Tempest, aka FIN7, a financially-motivated hacking group, has previously been linked to REvil and Maze ransomware after their involvement in the now-defunct BlackMatter and DarkSide ransomware operations.

Description last updated: 2024-05-04T19:30:57.547Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Maze is a possible alias for Maze Ransomware. Maze is a form of malicious software, or malware, that pioneered a novel double-extortion tactic in the cyber threat landscape. Its modus operandi involves stealing victims' files before encrypting them, thereby enabling the threat actors to threaten both the disruption of operations and the release	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Extortion

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Ryuk Malware is associated with Maze Ransomware. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware inves	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The DarkSide Threat Actor is associated with Maze Ransomware. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply across	Unspecified	2

Source Document References

Information about the Maze Ransomware Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	10 months ago	Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
CERT-EU	a year ago	Potential data breach disclosed by Xerox subsidiary
CERT-EU	a year ago	Top 3 ransomware headlines trending on Google - Cybersecurity Insiders
CERT-EU	a year ago	After ransomware claims, Xerox says subsidiary hit with cyberattack \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Xerox says subsidiary XBS U.S. breached after ransomware gang leaks data
CERT-EU	a year ago	Microsoft disables MSIX protocol handler abused in malware attacks
CERT-EU	a year ago	New Phobos ransomware variant implicates VX-Underground
CERT-EU	a year ago	What is double extortion ransomware? \| #ransomware \| #cybercrime \| National Cyber Security Consulting
MITRE	2 years ago	Ransomware 2020: Attack Trends Affecting Organizations Worldwide
Secureworks	2 years ago	Ransomware Evolution
Secureworks	2 years ago	Phases of a Post-Intrusion Ransomware Attack
MITRE	2 years ago	Maze attackers adopt Ragnar Locker virtual machine technique
CERT-EU	2 years ago	Ransomware gang Alphv 'unlikely to be fussed' about law firm's injunction order \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	200+ Free Ransomware Decryption Tools You Need [2022 List]
CERT-EU	a year ago	Regis Aged Care upgrades endpoint security
MITRE	2 years ago	Ransomware Maze \| McAfee Blog
MITRE	2 years ago	Pysa Ransomware - NHS Digital