Severity scale:  

Remove Maze ransomware (Virus Removal Instructions) - Sep 2020 update

removal by Linas Kiguolis - - | Type: Ransomware

Maze ransomware is a file-encrypting virus attacking giant companies like Cognizant in 2020 or Andrew Agencies in 2019

Maze ransomwareMaze ransomware is type of malware that enters the machine with the help of Fallout exploit kit and encrypts all data on the device by using RSA + ChaCha20 ciphers Maze ransomware is a malicious cryptovirus that uses a sophisticated RSA-2048[1] and ChaCha20 cipher to take files or systems hostage until the victim pays the ransom. Likewise, its predecessor known as ChaCha ransomware, it stands from the crowd with an unusual file extension applied used; it appends a string of random 4-7 characters at the end of each file, also using a marker within its structure – 0x66116166. Aside from encrypted files, Maze ransomware drops a ransom note DECRYPT-FILES.html, which includes contact information (usually, size of the ransom (differs in each case), and method of payment requested. 

The ransomware is known to have sophisticated methods of distribution because it creates emails with false claims and imitates agencies or government institutions. One of the Maze ransomware campaigns against Italy[2] revealed that users got spam emails pretending to be sent from the Italian Revenue Agency and the Agenzia Delle Entrate that is responsible for taxes and revenue for the government.

Maze ransomware is also known to be distributed via the help of a fake Abra site that hosts the Mobile Bitcoin Wallet app under the same name. Visitors who want to download the application will end up being redirected to a Fallout exploit kit,[3] which, under certain conditions, will implant the malicious payload without the users' interaction whatsoever. After encrypting files, the virus will drop a ransom note DECRYPT-FILES.html that asks victims to pay a ransom in BTC and contact bad actors via Additionally, the malware will also alter the background on the desktop, displaying another message from hackers. 

However, the latest Maze ransomware variant seems to switch its target from individual PCs and small business to giant companies that, obviously, can bring much greater earnings. Starting with an attack in 2019 over the Canadian insurance company Andrew Agencies, the criminals behind Maze ransomware has been reported for an attack over Cognizant[4] – one of the biggest IT managed service company in the world in April 2020. According to the cybersecurity experts, the ransomware made changes on IP addresses of servers and kepstl32.dll, memes.tmp, and maze.dll file hashes. Since this attack is currently under investigation, the exact damage caused to the company is yet to come. Nevertheless, experts share their presumptions that if Maze eventually manifested on the Cognizant server, it must have been there for an extended period of time to leak as much files and databases as possible. If the speculations will come true, the ransomware will be listed as a cause of a massive Cognizant data breach. 

Name Maze
Type Ransomware
A variant of ChaCha ransomware
Distribution This malware strain is most commonly spread via the Fallout exploit kit. However, it also has a chance of showing through spam emails and their malicious attachments, fake updates, brute-forcing, and by employing other tactics. Recent campaigns were distributed via emails and infected word documents
Encryption algorithm Bad actors use the RSA-2048 and ChaCha20 encryption algorithms to lock up all files and documents that are found on the targeted system
File extension There is no accurate extension that is appended by Maze ransomware. Once the virus locks files, it adds a random 4-7 letter appendix to each filename
Related files After successful infiltration, the file-locking virus brings the zprxqb.exe and Maze_Ransomware.exe files to the Windows computer system. The latest attack on Cognizant refers to file hashes of kepstl32.dll, memes.tmp, and maze.dll
Ransom note Information about file encryption and ransom demands is placed in the DECRYPT-FILES.html which appears on the computer screen after data encryption
Contact Criminals provide the email address as a way to contact them and discuss all needed matters
New version Maze ransomware developers have released a similar malware version that holds the exact same name. Even though the new variant also relies on successful encryption, the virus does not encrypt files if it finds the C:\hutchins.txt file in the computer system
Important The ransomware exhibit a great success in attacking servers of big companies. If the criminals manage to insert malicious payload on the server, it starts leaking files, databases, and other encrypted information that is not encrypted to a remote server. The examples of attacks on Andrew Agencies and Cognizant prove the fact
Termination Use a powerful anti-malware program to perform a thorough system checkup, detect all malicious strains, and remove Maze ransomware permanently
Decryption File decryption is only possible via backups. However, third-party software might sometimes be helpful as well. We have provided and described three different tools at the end of this article
Fix virus damage Maze ransomware virus causes damage to the infected system. It not only targets to lock targeted data, but also compromise Windows registry entries, startup processes, and some of the core system files. Reimage Reimage Cleaner Intego repair utility will help to fix suchlike damage

Interestingly, the latest variant of Maze ransomware shows a different wallpaper based on computer type (for example, home computer, backup server, server in a corporate network, primary domain controller, etc.), which essentially changes the decryptor price.

While there is no free decryption tool that would be able to retrieve your data, you should not pay the ransom and instead focus on Maze ransomware removal and alternative file recovery methods, instructions for which we provide below. Keep in mind that you might get easily scammed if you transfer the money to the crooks.

Maze ransomware instructions

While Maze ransomware was spotted being distributed with the help of Fallout Exploit kit, it does not mean that hackers do not employ other tactics, such as:

  • Spam emails;
  • Unprotected RDP;
  • Fake updates;
  • Pirated software and its cracks;[5]
  • Torrent sites;
  • Web injects, etc.

Therefore, even if your software and the Windows OS are patched with the latest updates to prevent Fallout EK, you might still be at risk if you do not use adequate security measures. To make sure you are protected from future Maze ransomware infections, check the second part of this article.

Maze ransomware in Italy

Independent researcher reported at the end of October 2019 that Maze virus released a campaign that targets Italy. The malicious malware attempted to infect systems with the help of a spam email campaign that delivers malicious word files and drops payload on the machine.

Emails came with legitimate-looking statements about new taxes, rules. The email is headlined “AGGIORNAMENTO: Attivita di contrasto all'evasione. Aggiornamento” and contains a word document called “VERDI.doc” which should involve the guidelines. However, the word document states about encryption of the content and then requires the reader to enable the content to read the text properly.

Once that is done, and the document is downloaded, opened on the machine, embedded macros get executed and downloads ransomware to the Temp folder on the system. Maze ransomware then gets launched and encrypts files, changes the wallpaper to an image with the guidelines on how to find a ransom note, and delivers a separate file DECRYPT-FILES.txt which includes instructions on contacting the virus developers.

The payment site that you should reach via the link provided in this ransom note shows the amount of ransom needed for the decryption key. It apparently differs from the type of device, a number of affected files, and other details about the victim. It can go up to $1200 or even more in Bitcoin. Unfortunately, decryption is not possible, paying is not an option, so you should remove Maze ransomware with anti-malware tool and recover files using backups.

Maze ransomware Italian targetsMaze ransomware is the threat that released a campaign targeting Italians and suggested people follow the instructions.

Once the payload of Maze ransomware is populated, it will contact 2 domains and 15 hosts, alter the Windows registry, delete Shadow volume snapshots to complicate the recovery process, and perform other malicious tasks required for its operation, for example, corrupting the Windows hosts file.

Ransomware viruses might seek to damage the hosts' file in order to prevent the victims from accessing security-related websites and forums where they could get valuable information on the malware's removal process. So, while you opt to remove Maze ransomware from your computer, make sure to delete the damaged file too.

After establishing itself and locking the files, Maze ransomware will display the following note: 

Attention! Your documents, photos, databases, and other important files have been encrypted!

The only way to decrypt your files, is to buy the private key from us.
You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.
In order to receive the private key contact us via email:
Remember to hurry up, as your email address may not be avaliable for very long.
Buying the key immediatly will guarantee that 100% of your files will be restored.
Below you will see a big base64 blob, you will need to email us and copy this blob to us.
you can click on it, and it will be copied into the clipboard.
If you have troubles copying it, just send us the file you are currently reading, as an attachment.

At the bottom of the note, victims can locate a Base64 string that includes such information and user's login name, Windows version, other technical data, and a private key. All this information is allegedly required for cybercriminals in order to decrypt files locked by Maze ransomware.

Speaking of Maze ransomware removal, various AV vendors recognize the threat under such names as TR/Kryptik.ijmxi, or Ransom.Maze, but such things differ based on the particular virus database.[6] This is why we suggest using professional anti-malware tools to terminate the malware entirely.

However, make sure to choose a reliable software. Note that manual elimination is not possible here as you risk damaging your system. You should remember that some system files get damaged too, Reimage Reimage Cleaner Intego may help you with those corrupted files after Maze virus removal.

Once you delete Maze virus entirely, you can connect your backup device to retrieve your data. In case you have no backups prepared, there are very little chances of recovering files for free, although you should try third-party software. We provide all the instructions and download links to such tools below.

Maze ransomware virusMaze ransomware is type of malware that enters the machine with the help of Fallout exploit kit and encrypts all data on the device by using RSA + ChaCha20 ciphers

The new version includes the same Maze ransomware name

A very similar, almost identical version to Maze ransomware was found by nao_sec researcher.[7] This variant comes from the same family and even holds the same name “Maze”. The new variant also locks up data with a random appendix, however, there is one exception here.

The new variant of Maze ransomware looks for the C:\hutchins.txt file and if it is found on the infected system, data locking does not happen in this scenario. However, if the file is not found, the malware successfully proceeds with the encryption and drops the DECRYPT-FILES.txt ransom message.

Even though there is not much information given on the demanded price, cybercriminals often urge for a ransom between $200 and $2000. However, paying the money might only lure you into a scam and you will receive no decryption tool at all.

Additionally, it is known that the new Maze ransomware version appears through an exploit kit known as SpelevoEK. However, that does not deny the possibility that the malicious payload might be brought through malicious hyperlinks/ads, infectious macros, and p2p networks.

One of the biggest Maze victims in 2019  – Andrew Agencies insurance company

Apart from massive malspam campaign initiating against Italian citizens, Maze ransomware extorted $1.1 million from a well-known Canadian insurance firm Andrew Agencies[8]. The malware has stolen 1.5 GB information from the company's servers, including information of approximately 900 clients, more than 200 employees, and coded passwords of people's online accounts. 

Prior to the encryption, Maze leaked the data to remote servers and then locked files on 245 computer systems using RSA-2048 and ChaCha20 encryption algorithms. Crooks demanded the Andrew Agencies heads to pay 150 BTC in exchange for not leaking data publicly.

The history remains silent if Andrew Agencies paid the ransom; though Dave Schioler, the vice president of the company, earlier claimed that they are not going to pay the redemption as there is no clear evidence that criminals behind the virus have leaked the files. 

Maze cryptomalware Maze virus is classified as ransomware due to its malicious trait to lock non-system files and demand its victim to pay the ransom

Ransomware prevention tips for individual users and companies

Hackers are sophisticated individuals who decided to put their knowledge for evil deeds. Therefore, they often employ a variety of advanced methods to distribute the payload of the malware, ensuring the high infection rates among victims.

Nevertheless, those who are careless are by far the most vulnerable and prone to infections. While such threats like adware or other PUPs might not be devastating, ransomware can result in permanent data loss. What is more, those who decide to pay for the decryptor might also end up losing money as well.

Therefore, follow these tips from industry experts to avoid malware infections in the future:

  • Install security patches for your operating system, as well as all the installed applications;
  • Use reputable anti-malware software with real-time protection feature;
  • Be aware that spam emails that carry attachments (such as .doc, .html, .pdf, etc.) or include hyperlinks might be infected with malware, including ransomware;
  • Do not fall for believing in suspicious emails that claim to be from FedEx, DHL, or other reliable shipping companies even though you have not been waiting for an order to arrive lately;
  • Ensure the safety of all your accounts by using password managing app and two-factor authentication;
  • Use ad-blocker on high-risk sites, although do not forget to add exclusions for sites you want to support;
  • Do now download pirated software or its cracks or keygens;
  • Scan every unknown executable with tools like Virus Total or Hybrid Analysis;
  • Use a VPN when using the Remote Desktop Protocol and ensure a strong password.

Finally, to negate the damage done by a ransomware infection, prepare backups regularly. For more accurate information, we want to inform users that ransomware developers are likely to hack RDP such as the TCP Port 3389 for secret malware infiltration. Additionally, exploit kits such as Fallout and SpelevoEK are widely used for distributing ransomware-related payload. 

Terminate Maze ransomware virus by using powerful malware removal tools

You should not attempt to remove Maze ransomware manually, as such a method should only be used by IT professionals. Besides, cryptovirus can modify Windows system files and embed itself deep into the OS, so reverting these changes is almost impossible. According to experts from,[9] it is very important not to skip any malicious objects, otherwise, the ransomware virus might boot itself automatically within the next PC startup process.

Instead of taking the risk on your own hands, employ reputable anti-malware software for Maze ransomware removal. We suggest you use anti-malware tools. You also should benefit from tools that may fix the damage and system files after the virus termination. Applications like SpyHunter 5Combo Cleaner, Malwarebytes, or other options are also available – choose the one that suits you the most.

Be aware that the Maze ransomware virus might prevent your security software from performing correctly. In such a case, you need to access Safe Mode, as it will temporarily stop malware's activities. Upon successful termination of the ransomware, fix the damage that it gas initiated against Windows OS. For that, we recommend using a repair tool Reimage Reimage Cleaner Intego.

Once you delete Maze virus, you can attempt to recover your data. Please follow detailed instructions for this process below. We cannot assure you that all of the below-provided techniques will work perfectly but trying them is definitely a better thing to do than the risk to lose a huge amount of money while paying the cybercriminals.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Maze virus, follow these steps:

Remove Maze using Safe Mode with Networking

To remove Maze ransomware without any interruptions, you should enter Safe Mode with Networking as explained below:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Maze

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Maze removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Maze using System Restore

You can also use System Restore to terminate the infection:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Maze. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Maze removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Maze from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Maze, you can use several methods to restore them:

Data Recovery Pro might be able to recover at least some of your files

This tool is sometimes useful for ransomware victims.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Maze ransomware;
  • Restore them.

Taking advantage of Windows Previous Versions feature

If you had System Restore enabled, this option might help you retrieve at least some individual files.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer application might recover all your data

If the virus failed to remove Shadow Volume Copies, this solution might be the best for you.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Maze and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions


Your opinion regarding Maze ransomware