Credential Theft
- Mimikatz
- ProcDump
Maze is a ransomware family and ransomware-as-a-service operation first branded as Maze in May 2019 and previously referred to as “ChaCha ransomware.” It became one of the earliest and most prominent double-extortion ransomware operations, stealing victim data and threatening public disclosure if ransom demands were not met.
Profile source: Mallory opens in a new tabMaze
Maze is a ransomware family and ransomware-as-a-service operation first branded as Maze in May 2019 and previously referred to as “ChaCha ransomware.” It became one of the earliest and most prominent double-extortion ransomware operations, stealing victim data and threatening public disclosure if ransom demands were not met. Public reporting in the provided content states that leak-based extortion ransomware tactics were pioneered around November 2019 by Maze. Maze operated victim negotiation infrastructure and a separate public leak/news site on Tor and the public Internet, used DECRYPT-FILES.txt as its ransom note, and in some cases dropped 000.bmp as wallpaper and played a synthesized voice alert via the Microsoft Speech API.
Maze has been delivered through multiple vectors including exploit kits, spam/phishing emails, Remote Desktop Protocol attacks, and other network exploitation methods. One documented infection chain used malicious Microsoft Word attachments that required users to enable macros; the macro then launched PowerShell to download and install the Maze payload. Proofpoint-linked TA2101 campaigns in October-November 2019 impersonated German and Italian tax authorities and delivered Maze through Word documents and PowerShell downloaders. Initial Maze samples were also associated with fake websites loaded with exploit kits.
Technically, Maze is described as mostly written in C++ with heavy assembly use and control-flow obfuscation. It dynamically resolved APIs by hashing names and matching exports before using LoadLibrary and GetProcAddress. It included anti-analysis and evasion features such as IsDebuggerPresent checks, PEB.BeingDebuggedFlag checks, process-name detection for tools including procmon, x32dbg, x64dbg, ollydbg, and procexp, and disabling of dynamic analysis and security tools including IDA debugger, x32dbg, and OllyDbg. The content also states that Maze disabled Windows Defender Real-Time Monitoring and attempted to disable endpoint protection services.
Maze performed selective execution checks by calling GetUserDefaultUILanguage and terminating if the system language matched a predefined exclusion list. It established persistence through a Windows autorun registry entry and also created scheduled tasks using names such as “Windows Update Security” to launch at a specific time. For reconnaissance and defense evasion, Maze queried antivirus products through WMI root\SecurityCenter2, used WMI to connect a virtual machine to the victim organization’s network domain, and communicated with hard-coded IP addresses over HTTP, including HTTP POST exfiltration over port 80 using WS2_32.dll. FireEye reporting cited in the content states that the Maze group also used RDP over the Ngrok service as an alternative command-and-control channel.
Maze attempted to impair recovery by deleting shadow volumes, including once before and once after encryption. The content specifically notes use of WMIC.exe and WMI for shadow copy deletion, and use of Wow64RevertWow64FsRedirection after deletion attempts to restore filesystem redirection state. For encryption, Maze used RSA and ChaCha20, skipped specific directories and file types, and dropped DECRYPT-FILES.txt ransom notes.
Maze is associated in the content with financially motivated extortion activity and broad enterprise targeting, with explicit references to attacks affecting healthcare during the COVID-19 period. Reported victims in the provided material include Allied Universal, Canon, Southwire, the City of Pensacola, LG Electronics, Xerox, and healthcare organizations. Canon reporting in the content states Maze claimed to have stolen 10 TB of data before deploying encryption. The content also notes that Maze announced in March 2020 that it would stop attacks on medical organizations until the COVID-19 situation stabilized, and that it withdrew pressure in at least one case involving the City of Pensacola.
The provided content also links Maze to the broader ransomware ecosystem. Multiple intelligence and security companies believed there were ties between former Maze affiliates and Egregor. CERT-FR reporting cited in the content states that the Lockean affiliate group used Maze alongside Egregor, ProLock, REvil, and DoppelPaymer. Additional reporting in the content says DoppelPaymer used similar tactics and much of the same code as BitPaymer and Maze. The content further mentions Maze in connection with FIN7 affiliations in 2023, but does not provide technical detail tying FIN7 to Maze malware development itself.
Ransomware.live
Reported operators
In 2023, FIN7 expanded its operations to include the deployment of ransomware through affiliations with RaaS groups such as REvil and Maze, while also managing its own RaaS programs, including the now-retired Darkside and BlackMatter.
In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
"...the most prolific being TWISTED SPIDER using Maze..."
"Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model."
"...TA551 IcedID implants were associated with Maze and Egregor ransomware events in 2020."
In July 2020, Mandiant observed UNC2198 leverage network access provided by an ICEDID infection to encrypt an environment with MAZE ransomware.
Maze ransomware operators have updated their list of victims adding Xerox Corporation to the roster... Maze's leak site showed Xerox among the victims of this ransomware group.
Exploited software
MITRE ATT&CK
Reporting
"... FIN7 ... previously collaborated with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware groups ..."
Cognizant itself was rumored to have suffered a Maze ransomware breach in 2020.
References https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/
References https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/
References https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/
Previously identified as “ChaCha ransomware” (a name taken from stream cipher used by the malware to encrypt files), the Maze “brand” was first affixed to the ransomware in May, 2019.
"...FIN7... known to collaborate with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware gangs..."
In 2023, FIN7 expanded its operations to include the deployment of ransomware through affiliations with RaaS groups such as REvil and Maze, while also managing its own RaaS programs, including the now-retired Darkside and BlackMatter.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.