The notorious Maze ransomware team has announced that it is shutting down operations, but how severe it is and how long it remains open to speculation.
The announcement came through a statement on the dark web that asserted that the “Maze Team Project is announcing it’s officially closed. All the links to outside [sic] job, with our brand, our work methods should be thought of as a scam.”
A lot of the announcement is barely literate and sometimes does not make sense, but among other claims made by the group is that it never really existed and that it might “be found only within the minds of journalists who wrote about it.”
The concept that Maze never existed is spurious; at best, it could possibly argue that it never existed as a formal group or cartel. Whatever form it took, Maze was credited to dozens of ransomware attacks. It is especially well-known for popularizing the book of stolen data when ransoms aren’t paid. Formerly ransomware attacks primarily focused on encrypting data instead of data theft and following release.
Notable Maze victims include information technology solutions firm Cognizant Technology Solutions Corp… In April, safety firm Chubb Group Holdings Inc… March 26 and Hammersmith Medicines Research Ltd., a firm creating a COVID-19 vaccine that led in private data being shown March 22.
Security researchers are naturally skeptical of this statement.
“The group said they would return, so the Maze threat is probably not ended,” Jamie Hart, cyber threat intelligence analyst at digital risk firm Digital Shadows Ltd. told SiliconANGLE. “Though the official reason for the statement is unknown, the ransomware marketplaces oversaturation may have prompted the group to stop operations. Additionally, this may be an identical exit strategy we saw with GandCrab in 2019.”
Another version may emerge to take Maze’s place, she added, since some operators have moved into the Egregor ransomware version. Ultimately, she said, it might be moving away from Maze to enhance operational safety, decreasing the possibility of being caught.
“The claim seems legitimate; the website is no longer hosting any new victim organizations, and all previously posted organizations are archived,” Hart said. “The Maze Group has always known their victims as customers’ as if they thought that the victim organizations hired the team as security professionals. It seems the group thinks they’re somehow valuable and the ransom is only payment for their help.”
Lamar Bailey, senior director of security research at cybersecurity solutions firm Tripwire Inc. , noted that “offenders do not only have an epiphany and stop being criminals overnight. They shut down an operation once the return on their investment falls below the costs of conducting the ‘program’ or when they’re going to get caught. This is not any different.”
Bailey suggested the group is only switching to something new, such as Egrego. “This is similar to this one furniture store in town that’s going out of business every couple of months just to reopen with a new name but with the exact people and merchandise,” he said.