Maze Hacker Group is Retiring
Table of Contents
- By Dawna M. Roberts
- Published: Nov 04, 2020
- Last Updated: Mar 18, 2022
It's very rare that you hear of a hacker group actually announcing their retirement, but as DataBreach Today reported on November 2, the Maze hacker gang is doing just that.
Who is Maze?
Maze is a notorious cybercriminal gang that first decided to implement the two-pronged approach to ransomware. They encrypt and lock the victim's data and then use extortion and threaten to release the information if the victim does not pay the ransom within the time frame.
In May 2019, cybersecurity expert Jerome Segura discovered Maze ransomware, which was first nicknamed "ChaCha ransomware." The ransomware was nothing special at the time, merely crippling computer systems and encrypting data while the hackers waited for the victim to pay the ransom. Unfortunately for them, the payment did not always come.
Therefore, Maze crafted a new plan. The Maze ransomware gang is credited with revolutionizing ransomware tactics by taking things one step further. So, instead of sitting around waiting for the ransom to be paid, they downloaded critical data and threatened victims that the data would be released to the public, exposing their vulnerable systems and opening up their clients to identity theft. In practice, they did release stolen data on the dark web on internet forums and even auctioned some off for money. So even if the ransom was not paid, the information they swiped still carried a value.
Other cybercriminal gangs like Nemty, Evil, DoppelPaymer, and Sodinokibi soon followed suit, and now the new ransomware model includes a second extortion phase.
Maze got so confident after the notoriety, they started a ransomware website called "Maze News" upon which they posed the stolen data for any victim who did not pay. Some of Maze's victims include LG Electronics, Xerox, Cognizant, and the City of Pensacola.
The Retirement Press Release
On November 1, Maze issued an official press release on their dark web site stating they were retiring "for now." They titled it, "The Project is closed." They imply that anyone using their name or brand in the future will be nothing more than a scam. They also clearly deny any cartel involvement. The notice then devolves into an anti-technology diatribe as their reason for deciding to call it quits. The broken English makes it difficult to understand, but one section reads, "All your technologies are a symbol of your helplessness. Once going to wheelchair a man will not be able to walk again. And once trusting your mind to a technology you won't be able to recover your consciousness. By delegation the part of your conscious activity to machines you won't be able to watch at the reality with the clear eye."
However, the note's main focus implies that the gang perpetrated their crimes only to teach victims how insecure and vulnerable their security systems were.
They also offer up a support option for victims whose data still resides on their website, and they claim they will honor the support for a month following the press release. They promise to delete data for those who request it.
They end their ominous note with, "We will be back to you when the world will be transformed. We will return to show you again the errors and mistakes and to get you out of the Maze."
You can read the press release here in its entirety.
So although they are saying goodbye, for now, experts say we have not seen the last of Maze.
What the Experts Think
Adam Kujawa, Director of Malwarebytes Labs, said, "Ransom actors are professional liars and scammers; to believe anything they say is a mistake. Maze as we know it might be shutting down, but the actors behind it feel like they've got some kind of 'holy mission' to expose the weaknesses of corporate networks, for-profit, so I doubt we'll see them gone forever."
Other security analysts noted that Maze did disclose full data dumps on their "News" site in October and offered to delete the data upon request. Plus, they have not encrypted or attacked any new victims for at least a month, so maybe their message is true.
Threat Analyst Brett Callow of Emsisoft said, "Their affiliates will join other groups or simply start their own operations. Unfortunately, ransomware is far too profitable for the retirement of any one group to have any significant effect."
Other cybersecurity experts wonder if this will play out like the GandCrab situation. Back in May 2019, cyber gang GandCrab announced their retirement after bilking more than $2 million from victims in one year. GandCrab released encryption keys needed to unlock some victim's data. So far, however, Maze has not done the same. Security researchers have requested them but have not yet heard back from Maze.
Shortly after its disbandment, GandCrab resurfaced as the new ransomware REvil (Sodinokibi) and continues to wreak havoc with global victims. Rumors have it that Maze affiliates are working with the new ransomware group Egregor. So, Maze may be gone, but their effect will be long-lasting and continue in new forms.