One of the most prominent and damaging data-stealing ransomware operations, known as Maze, has announced its “official closure.”

This declaration appeared as an inconsistent message, containing numerous spelling errors and published on the group’s dark web site, which had previously released extensive collections of confidential documents and files obtained from targeted organizations. These included companies such as Cognizant, Chubb – a cybersecurity insurance provider – ExecuPharm, a pharmaceutical company, Tesla and SpaceX component supplier Visser, and defense contractor Kimchuk.

Unlike conventional ransomware groups that primarily encrypt a victim’s files and demand payment for their decryption, Maze became well-known for initially extracting data from victims and then threatening to publicly disclose the stolen information if a ransom wasn’t paid.

This approach rapidly became a favored method among ransomware groups, leading them to establish websites – frequently hosted on the dark web – to publish stolen files in cases where victims refused to comply with ransom demands.

Maze initially compromised systems through exploit kits and spam campaigns, but later shifted to exploiting recognized security weaknesses to specifically target larger, high-profile companies. The group frequently leveraged vulnerable virtual private network (VPN) and remote desktop (RDP) servers to initiate focused attacks on victim networks.

The ransom amounts demanded by Maze sometimes reached millions of dollars. Reports indicate a demand of $6 million was made to a wire and cable manufacturer located in Georgia, and $15 million was requested from an unidentified organization following network encryption. However, following the declaration of COVID-19 as a pandemic in March, Maze – along with other ransomware groups – pledged to refrain from targeting hospitals and medical institutions.

Despite this announcement, cybersecurity professionals remain cautious. Ransomware operations are fundamentally criminal enterprises, and many are motivated by financial gain.

“It’s important to view Maze’s claims with considerable skepticism,” stated Brett Callow, a ransomware specialist and threat analyst at the security firm Emsisoft. “It’s conceivable that the group believes it has accumulated sufficient funds to cease operations. However, it’s also plausible – and perhaps more probable – that they have opted to rebrand their activities.”

Callow pointed out that the group’s apparent dissolution raises questions regarding Maze’s relationships and involvement with other criminal entities. “Given that Maze operated as an affiliate program, their criminal associates are unlikely to retire and will likely align themselves with alternative groups,” he explained.

Maze disputed claims that it functioned as a “cartel” of ransomware groups in its statement, but security experts disagree. Steve Ragan, a security researcher at Akamai, noted that Maze routinely published data stolen by other ransomware variants, such as Ragnar Locker and LockBit – a ransomware-as-a-service operation.

“Their denial of collaboration or a cartel structure is simply inconsistent with the evidence. It’s clear that these groups were cooperating on multiple levels,” Ragan said.

“The concerning aspect of this situation, and a significant point to consider, is that the overall threat landscape will not change. Ransomware will continue to be a problem,” Ragan added. “Criminals will persist in targeting openly accessible, compromised RDP [remote desktop protocol] and VPN portals, and will continue sending malicious emails containing harmful attachments in an attempt to infect vulnerable users online.”

Jeremy Kennelly of FireEye’s Mandiant threat intelligence unit suggested that while the Maze brand may be discontinued, its operators are unlikely to disappear entirely.

“We are highly confident that many of the individuals and groups that collaborated to support the Maze ransomware service will likely continue to engage in similar illicit activities – either by assisting existing ransomware operations or launching new ones in the future,” Kennelly stated.