Well-known Maze ransomware gang is shutting down its operations

Although the Maze ransomware group is prevalent, it started to shut down six weeks ago

Maze ransomware gang is shutting down its operations but affiliates have switched over to Egregor ransomware.

The cybercrime gang behind Maze ransomware^[1] is one of the most famous groups performing ransomware attacks today. It began operating in May 2019 but became better known in November. However, a well-known and long-existing group decided to shut down its operations.

The rumors about the shutting down started early this month. These talks were later confirmed because Maze stopped attacking new victims and is trying to finish the process of shutting down by squeezing the last ransom payments from its victims. The group even began deleting the victims from its leak site.

Unfortunately, this does not mean that cybercriminals decided to retire. Users and cybersecurity experts have already managed to spot new ransomware, which was probably created by the same hackers.

Cybercriminals behind Maze ransomware have their own website to reveal non-paying victims' data

Ransomware^[2] is a malware type that locks personal files with a powerful encryption method.^[3] After the encryption, ransomware drops a ransom note to the victim, demanding a ransom for the decryption key. But the Maze ransomware group has become one of the highly recognized names in the cybercrime space mostly because it invented a double-extortion strategy.^[4]

Maze ransomware first steals personal data and only then encrypts it. In this way, cybercriminals can threaten victims to pay the ransom in a more demanding way. If the user chooses to ignore hackers, they publish all data openly on the website. Maze ransomware group has a personal site for this purpose, called “Maze News.”

Other ransomware groups quickly began copying this method as well. For example, Ryuk, Mount Locker, Clop, REvil, etc. also started stealing data before locking it.

Since the Maze ransomware group's webpage where they published victims' data is now almost empty, it is believed that cybercriminals behind this virus really decided to shut down their operations. Currently, there are only two victims and others who had their data revealed on the leak website.

Maze virus started to shut down its operations, but many affiliates have switched to Egregor ransomware

Of course, just because cybercriminals have decided to shut down Maze ransomware operations, users shouldn't relax. Many Maze virus affiliates have switched over to Egregor, a newer ransomware operation. Egregor ransomware^[5] began to operate simultaneously as the Maze ransomware started the shutting down process. This new ransomware quickly became very active.

Many users believe that Egregor, Maze, and Sekhmet are the same software because they give the same ransom notes, share almost the same code, and their payment site naming is similar too. Even the decryptor of Egregor is named “Sekhmet Decryptor”.

This means that cybercriminals do not retire when they decide to shut down certain ransomware. The only thing most of them do is switch to another virus operation. Therefore, users should remain careful online if they want to avoid ransomware or other threats. Having frequently updated backups is also a good idea.