- The actors behind Maze ransomware are shutting down operations, according to reports from Bleeping Computer, which has an established relationship with the operators. Operators told the publication they ceased illegally encrypting new targets in September. The group is, however, "trying to squeeze the last ransom payments from victims," according to the report.
- "Maze affiliates" said Maze has transitioned to a new operation, called Egregor, according to Bleeping Computer. Egregor emerged in September, though researchers said the ransomware was a "spin off" of the Sekhmet ransomware.
- As Maze winds down operations, it's unknown if the operators will release decryption keys, which has been done with other retiring ransomware, according to Bleeping Computer. Maze's operators started scrubbing previous targets from the site it publicly publishes stolen data on, with only two organizations' names left.
Maze elevated ransomware's threat from data encryption, to data exfiltration. As Maze operators transition to Egregor, little is known as to why Maze ran its course given its profitability. When other strains shut down, it's usually with a successor waiting for its debut. Concrete reasons are rarely provided.
Maze operators have been sued for publishing stolen data on their website and influenced other ransomware operators to adopt the data breach function.
Just before its shutdown, Tesla allegedly almost became a Maze victim. In August, Tesla was targeted by a proxied insider threat. The Department of Justice indicted "Russian national" Egor Igorevich Kriuchkov for his part in conspiring "to intentionally cause damage to a protected computer." Kriuchkov attempted to sway employees to inject ransomware into company computers.
"After the malware was introduced, Kriuchkov and his co-conspirators would extract data from the network and then threaten to make the information public, unless the company paid their ransom demand," said the DOJ. It's the same tactic that made Maze as prolific as it is.
"The person nabbed by the FBI in the Tesla incident may be a member of one of the groups in Maze's cartel," Brett Callow, threat analyst at Emsisoft, told Cybersecurity Dive in an email.
Mandiant researchers determined Russian-speaking actors were soliciting for more people to join the Maze operation earlier this year. Madiant suggested Maze "operates under an affiliate model and is not distributed by a single group," with different parties receiving a slice of a ransom.
Maze didn't discriminate against the industries it targeted, though early on in the pandemic, the operators said they would refrain from victimizing healthcare-related organizations. It was an empty promise.
Just as they said in December last year, operators claimed its cyberattacks fall short of "socially significant services," including "hospitals, cancer centers, maternity hospitals and other socially vital objects." In Cybersecurity Dive's ransomware 2020 tracker, Maze has targeted at least 11 healthcare organizations since February.