Skip to content
Ransomware group

Maze

Maze is a ransomware family and ransomware-as-a-service operation first branded as Maze in May 2019 and previously referred to as “ChaCha ransomware.” It became one of the earliest and most prominent double-extortion ransomware operations, stealing victim data and threatening public disclosure if ransom demands were not met.

Profile source: Mallory opens in a new tab

Maze

Family profile

Maze is a ransomware family and ransomware-as-a-service operation first branded as Maze in May 2019 and previously referred to as “ChaCha ransomware.” It became one of the earliest and most prominent double-extortion ransomware operations, stealing victim data and threatening public disclosure if ransom demands were not met. Public reporting in the provided content states that leak-based extortion ransomware tactics were pioneered around November 2019 by Maze. Maze operated victim negotiation infrastructure and a separate public leak/news site on Tor and the public Internet, used DECRYPT-FILES.txt as its ransom note, and in some cases dropped 000.bmp as wallpaper and played a synthesized voice alert via the Microsoft Speech API.

Maze has been delivered through multiple vectors including exploit kits, spam/phishing emails, Remote Desktop Protocol attacks, and other network exploitation methods. One documented infection chain used malicious Microsoft Word attachments that required users to enable macros; the macro then launched PowerShell to download and install the Maze payload. Proofpoint-linked TA2101 campaigns in October-November 2019 impersonated German and Italian tax authorities and delivered Maze through Word documents and PowerShell downloaders. Initial Maze samples were also associated with fake websites loaded with exploit kits.

Technically, Maze is described as mostly written in C++ with heavy assembly use and control-flow obfuscation. It dynamically resolved APIs by hashing names and matching exports before using LoadLibrary and GetProcAddress. It included anti-analysis and evasion features such as IsDebuggerPresent checks, PEB.BeingDebuggedFlag checks, process-name detection for tools including procmon, x32dbg, x64dbg, ollydbg, and procexp, and disabling of dynamic analysis and security tools including IDA debugger, x32dbg, and OllyDbg. The content also states that Maze disabled Windows Defender Real-Time Monitoring and attempted to disable endpoint protection services.

Maze performed selective execution checks by calling GetUserDefaultUILanguage and terminating if the system language matched a predefined exclusion list. It established persistence through a Windows autorun registry entry and also created scheduled tasks using names such as “Windows Update Security” to launch at a specific time. For reconnaissance and defense evasion, Maze queried antivirus products through WMI root\SecurityCenter2, used WMI to connect a virtual machine to the victim organization’s network domain, and communicated with hard-coded IP addresses over HTTP, including HTTP POST exfiltration over port 80 using WS2_32.dll. FireEye reporting cited in the content states that the Maze group also used RDP over the Ngrok service as an alternative command-and-control channel.

Maze attempted to impair recovery by deleting shadow volumes, including once before and once after encryption. The content specifically notes use of WMIC.exe and WMI for shadow copy deletion, and use of Wow64RevertWow64FsRedirection after deletion attempts to restore filesystem redirection state. For encryption, Maze used RSA and ChaCha20, skipped specific directories and file types, and dropped DECRYPT-FILES.txt ransom notes.

Maze is associated in the content with financially motivated extortion activity and broad enterprise targeting, with explicit references to attacks affecting healthcare during the COVID-19 period. Reported victims in the provided material include Allied Universal, Canon, Southwire, the City of Pensacola, LG Electronics, Xerox, and healthcare organizations. Canon reporting in the content states Maze claimed to have stolen 10 TB of data before deploying encryption. The content also notes that Maze announced in March 2020 that it would stop attacks on medical organizations until the COVID-19 situation stabilized, and that it withdrew pressure in at least one case involving the City of Pensacola.

The provided content also links Maze to the broader ransomware ecosystem. Multiple intelligence and security companies believed there were ties between former Maze affiliates and Egregor. CERT-FR reporting cited in the content states that the Lockean affiliate group used Maze alongside Egregor, ProLock, REvil, and DoppelPaymer. Additional reporting in the content says DoppelPaymer used similar tactics and much of the same code as BitPaymer and Maze. The content further mentions Maze in connection with FIN7 affiliations in 2023, but does not provide technical detail tying FIN7 to Maze malware development itself.

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz
  • ProcDump

Discovery Enum

  • AdFind
  • Advanced IP Scanner
  • Bloodhound
  • PingCastle
  • PowerView
  • ShareFinder

Exfiltration

  • WinSCP

LOLBAS

  • PsExec
  • WMIC

Offsec

  • Cobalt Strike
  • Metasploit
  • Meterpreter
  • PowerSploit

Reported operators

Threat actors

9 named in public reporting
FIN7

In 2023, FIN7 expanded its operations to include the deployment of ransomware through affiliations with RaaS groups such as REvil and Maze, while also managing its own RaaS programs, including the now-retired Darkside and BlackMatter.

DEV-0216

In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.

Lockean

Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.

OnePercent

Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.

FIN6

"Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model."

TA551

"...TA551 IcedID implants were associated with Maze and Egregor ransomware events in 2020."

UNC2198

In July 2020, Mandiant observed UNC2198 leverage network access provided by an ICEDID infection to encrypt an environment with MAZE ransomware.

Maze

Maze ransomware operators have updated their list of victims adding Xerox Corporation to the roster... Maze's leak site showed Xerox among the victims of this ransomware group.

Exploited software

Vulnerabilities linked to Maze

3 CVEs

MITRE ATT&CK

Maze in ATT&CK

55 distinct techniques

Techniques

55 techniques
T1614.001 System Language Discovery T1082 System Information Discovery T1547.001 Registry Run Keys / Startup Folder T1071.001 Web Protocols T1059.003 Windows Command Shell T1057 Process Discovery T1562 Impair Defenses T1047 Windows Management Instrumentation T1490 Inhibit System Recovery T1036 Masquerading T1486 Data Encrypted for Impact T1053.005 Scheduled Task T1567 Exfiltration Over Web Service T1027 Obfuscated Files or Information T1657 Financial Theft T1537 Transfer Data to Cloud Account T1562.001 Disable or Modify Tools T1529 System Shutdown/Reboot T1068 Exploitation for Privilege Escalation T1203 Exploitation for Client Execution T1218.007 Msiexec T1053 Scheduled Task/Job T1048 Exfiltration Over Alternative Protocol T1140 Deobfuscate/Decode Files or Information T1133 External Remote Services T1136 Create Account T1083 File and Directory Discovery T1112 Modify Registry T1204 User Execution T1003 OS Credential Dumping T1202 Indirect Command Execution T1078 Valid Accounts T1105 Ingress Tool Transfer T1070 Indicator Removal T1059 Command and Scripting Interpreter T1071 Application Layer Protocol T1489 Service Stop T1614 System Location Discovery T1564.006 Run Virtual Instance T1055.001 Dynamic-link Library Injection T1036.004 Masquerade Task or Service T1568 Dynamic Resolution T1049 System Network Connections Discovery T1106 Native API T1027.016 Junk Code Insertion T1190 Exploit Public-Facing Application T1189 Drive-by Compromise T1566.001 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell T1218.011 Signed Binary Proxy Execution: Rundll32 T1003.001 OS Credential Dumping: LSASS Memory T1018 Remote System Discovery T1046 Network Service Discovery T1021.001 Remote Services: Remote Desktop Protocol T1021.002 Remote Services: SMB/Windows Admin Shares

Reporting

Research mentioning Maze

Mar 12
Bleeping Computer

Veeam warns of critical flaws exposing backup servers to RCE attacks

"... FIN7 ... previously collaborated with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware groups ..."

Mar 6
Bleeping Computer

Cognizant TriZetto breach exposes health data of 3.4 million patients

Cognizant itself was rumored to have suffered a Maze ransomware breach in 2020.

Feb 25
Splunk Research

Detection: Windows Security And Backup Services Stop | Splunk Security Content

References https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/

Feb 25
Splunk Research

Detection: WMI Recon Running Process Or Services | Splunk Security Content

References https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/

Feb 25
Splunk Research

Detection: Windows Cisco Secure Endpoint Related Service Stopped | Splunk Security Content

References https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/

Jan 1
Sophos Threat Research

Maze ransomware: extorting victims for 1 year and counting | SOPHOS

Previously identified as “ChaCha ransomware” (a name taken from stream cipher used by the malware to encrypt files), the Maze “brand” was first affixed to the ransomware in May, 2019.

Jun 17
Bleeping Computer

New Veeam RCE flaw lets domain users hack backup servers

"...FIN7... known to collaborate with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware gangs..."

Jun 13
Recorded Future

GrayAlpha Unmasked: New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks

In 2023, FIN7 expanded its operations to include the deployment of ransomware through affiliations with RaaS groups such as REvil and Maze, while also managing its own RaaS programs, including the now-retired Darkside and BlackMatter.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.