The Maze ransomware group issued a press release on November, 1 2020 announcing, “it is officially closed.” Maze was one of the pioneers of ‘double extortion’ — stealing data before encrypting the victim’s files. Ransoms could be demanded for both the decryption key, and for returning or deleting the stolen data.
The annoucement was published on Twitter by MalwareHunterTeam on November 2nd. Assuming its validity, the Maze group discusses four items.
Firstly, it denies that there was ever a ‘Maze cartel’. The existence of a cartel was discussed in various media outlets during the summer of 2020. It seems to have originated from the discovery of data from competing ransomware groups on the Maze victim shaming website; but now Maze says there was never a cartel. “The Maze cartel was never exists and is not existing now. It can be found only inside the heads of the journalists who wrote about it.” Anything that now claims to be Maze-related should be considered a scam, says the group — adding that for those victims already included on their website, support will continue for another month.
The denial of a cartel may be somewhat simplistic. Jeremy Kennelly, Manager of Analysis at Mandiant Threat Intelligence, told SecurityWeek, “Mandiant has collected significant evidence suggesting that MAZE was operated via a profit-sharing arrangement where multiple discrete criminal groups collaborated to perpetrate their crimes — one group operating the central MAZE infrastructure and various other individuals and teams working together to obtain access to victim networks and deploy MAZE ransomware. Furthermore,” he added, “Mandiant has also seen clear cases where named threat actors such as FIN6 have worked with MAZE to monetize intrusions via ransomware distribution.”
Secondly, the Maze group attempts to justify its actions. It was not about the money — of course not — it was about demonstrating poor security practices so that companies could improve matters. “This perspective from a highly successful ransomware group, who have profited millions from attacks,” comments Jamie Hart, a cyber threat intelligence analyst at Digital Shadows, “shows their view of the crimes as somehow helpful. The group referred to their victims as clients,” she added, “as if they believed the victim organizations indirectly hired the group as security professionals.”
Maze goes on to warn that poor security threatens the national infrastructure, and that although Maze didn’t attack the infrastructure, it will not be Maze, but some “radical psychos whose goals will not just to show you the weakness of security but to make a major damage.”
Thirdly, under a section titled, ‘What for?’, the group seems to suggest that part of its purpose is to warn that society is surrendering its humanity to machines. This is not a unique viewpoint. It can almost be seen as a modern version of the Luddite viewpoint.
The Maze attitude focuses on the growth of digital currencies. As their value increases, Maze believes they will become concentrated in the hands of a few people. This is not so different from the current claims that just a few super-wealthy families already control the global economy — but Maze believes that these people will then be able to crash fiat currency-based economies and drive everything online.
At that point, Maze suggests all will be lost. “You would not even notice when you will be tagged with chips or your DNA will be the only was {sic] to access the new digital world. As it will be the only place you can leave [sic] in, to get paid and consume.” It’s a fairly standard dystopian view of the future.
Finally, Maze says it will be back. “We will be back to you when the world will be transformed. We will return to show you again the errors and mistakes and to get you out of the Maze.”
Overall, the announcement is fairly standard. The criminals deny they were motivated by money, but were more concerned to demonstrate the lack of security in their victims — in other words, they were a public service. The view of the future is also standard sci-fi — from Orwell’s 1984 to the Wachowskis’ Matrix.
Although this could possibly be the end of the Maze brand, the security industry does not believe the Maze operators will disappear quietly into retirement. “A service of this type may be wound down for a variety of reasons,” said Kennelly, “including conflict between operators or the fallout from an exit scam, or alternatively it could be done in response to law enforcement scrutiny — active or suspected. Services of this sort may also be deprecated in order to enable their operators to found a parallel operation using different malware or a different profit-sharing or operational model.”
“The Maze threat is likely not finished,” Hart told SecurityWeek. “Although the official reason for the announcement is unknown, the ransomware market’s oversaturation may have motivated the group to cease operations. It’s also possible that this is a similar exit strategy we witnessed with GandCrab in 2019. Another variant may emerge to take Maze’s place; some operators have reportedly moved to the Egregor ransomware variant. Finally, they may be moving away from Maze to improve their operational security, decreasing the chance of being caught.”
“We assess with high confidence,” concluded Kennelly, “that many of the individuals and groups that collaborated to enable the MAZE ransomware service will likely to continue to engage in similar operations — either working to support existing ransomware services or supporting novel operations in the future.”
Related: Double Extortion: Ransomware Combines Encryption with Data Theft
Related: Maze Ransomware Operators Publish Victim Data Online
Related: Maze Ransomware Caused Disruptions at Cognizant
Related: Ransomware Operators Claim They Hacked Printing Giant Xerox
