The Maze cybercrime gang, which revolutionized the ransomware business by adding an extortion element to each attack, has issued a statement saying it has hung up its spikes and will retire, at least temporarily. Can you believe anything a ransomware group says? Maze posted a "retirement" notice to its darknet site on Nov. 1 saying: "This project is now closed." The word "project" appears to be a reference to the ransomware gang stating in the note that its attacks were intended to teach its victims the danger of having poor security practices. The gang also denied it was ever the center of a larger group. The note ended with the group saying it would be back. So, why the retirement announcement? It sounds more like a “vacation” than a retirement.
The consensus from cybersecurity executives is that Maze has closed up shop with activity on its site having decreased and no new attacks recently spotted. But it is noted that cybercriminals are not honest individuals, meaning any halt may be brief. "Ransom actors are professional liars and scammers; to believe anything they say is a mistake. Maze as we know it might be shutting down, but the actors behind it feel like they've got some kind of 'holy mission' to expose the weaknesses of corporate networks, for-profit, so I doubt we'll see them gone forever," says Adam Kujawa, director of Malwarebytes Labs.
Jamie Hart, a cyber threat intelligence analyst at Digital Shadows, notes that while the group did clean up its data leak site Maze News during October 2020 by posting the full dumps for victims, the gang has not encrypted any new victims during the past 30 days or so. The announcement, however, did leave the door open for its return. "The press release stated that the group would be back, so the Maze threat is likely not finished," Hart says.
Even if Maze has decided to cease operating, the move will have no real impact on the threat landscape, Brett Callow, a threat analyst with Emsisoft says. "Their affiliates will join other groups or simply start their own operations. Unfortunately, ransomware is far too profitable for the retirement of any one group to have any significant effect," Callow says.
The group likely decided to halt its operations because of the amount of attention it has been receiving, especially since its antics, such as creating data leak sites for their victims, have influenced the operations of ransomware groups across the world, Kujawa says.
After claiming that it had taken more than $2 billion from victims over the course of a year, on May 31, 2019, the operators behind the GandCrab ransomware posted they would be ending their campaign. Unlike Maze, however, GandCrab operated as a ransomware-as-a-service, taking a 40% cut of any money collected, and the group publicly released the encryption keys used, enabling some victims to regain access to their devices.
Hart notes that Maze has not followed suit, and it is unknown if it will release its keys to remaining victims. "Security researchers reached out to the Maze Group to ask if the decryption keys would be made available but have not received a response. The Maze group stated they would be available for support for the next month for organizations that want to be deleted from the website, so it is unlikely that the decryption keys will be released for the next month, at least," Hart says.
Peter Mackenzie, incident response manager with Sophos Rapid Response, tells Information Security Media Group that Maze may be going down the same road as GandCrab when it announced its departure, only to reappear as REvil, aka Sodinokibi, ransomware.
"The announcement by the Maze operators that they are ceasing operations after just over a year of activity is probably not as significant as it might appear," Mackenzie says. "In June 2019, the operators behind GandCrab announced their retirement, and all its affiliates moved to REvil; now the Maze affiliates are moving across to a new group, Egregor, which according to public reports has access to Maze tools and infrastructure. They may even share some of the same operators."
The maze may have tried to get out ahead of this possibility by publicly stating it worked alone, and any thought that the group is at the center of a larger organization was a figment of people's imaginations. "The Maze cartel was never existed [sic] and is not existing now. It can be found only inside the heads of the journalists who wrote about it," the group writes.
The gang covered a wide range of issues in its note, spending some time trying to rationalize why it launched ransomware attacks and then attempted to extort money from those victims that refused to pay by revealing the stolen data online. Maze's main excuse is the attacks were instructional, teaching companies that they need to secure the data with which they are entrusted.
"If you are taking the responsibility for other people [sic] money and personal data then try to keep it secure. Until you do that [sic] there will be more projects like Maze to remind you about secure data storage," Maze states in its note. "The group behind Maze are either trolling folks or delusional. This group claims that it's helping the world by bringing attention to vulnerable corporate networks. If that was their actual goal, the next step would be to inform them, not demand thousands of dollars in return for files," Kujawa says.
The Maze note says the organization's "customer service" department will continue to operate for another month. The message also contained a somewhat rambling section where Maze essentially denounced technology and how it is negatively impacting the human race. "All your technologies are a symbol of your helplessness. Once going to a wheelchair a man will not be able to walk again. And once trusting your mind to a technology you won't be able to recover your consciousness. By delegation the part of your conscious activity to machines you won't be able to watch at the reality with the clear eye," it says.
Maze warned of a digital dystopian world that will be created through the use of digital currency that will eventually allow just a few people to run, and then ruin, this new world. "We will be back to you when the world will be transformed. We will return to show you again the errors and mistakes and to get you out of the Maze," the group wrote.
Maze started life as a variant of ChaCha ransomware and was first uncovered by Jerome Segura, Malwarebyte's senior threat analyst, in May 2019. The primary differentiator for Maze was its decision to fight back against victims that are able to shrug off their ransomware attack by using backed up data. The method involved adding a data exfiltration step in the ransomware attack. Some of Maze's better-known victims were Canon, the City of Pensacola, and the computer chipmaker MaxLinear.
Is that it? Actually, no. Having tools and services looking in the deep/dark web is essential to a well rounded cyber protection plan. The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks, but utilizing the RedXray and CTAC collection and analysis tools by Red Sky Alliance, will ensure a proactive approach to cybersecurity. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941