{
	"id": "9583b3b0-3408-4681-921f-48516f9f0e92",
	"created_at": "2026-04-06T00:12:48.532881Z",
	"updated_at": "2026-04-10T03:21:57.861329Z",
	"deleted_at": null,
	"sha1_hash": "50aa0848ea2ebb59bd906a96e6f9241a9cc0c485",
	"title": "Maze ransomware is shutting down its cybercrime operation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2192341,
	"plain_text": "Maze ransomware is shutting down its cybercrime operation\r\nBy Lawrence Abrams\r\nPublished: 2020-10-29 · Archived: 2026-04-05 15:45:07 UTC\r\n \r\nThe Maze cybercrime gang is shutting down its operations after rising to become one of the most prominent players\r\nperforming ransomware attacks.\r\nThe Maze ransomware began operating in May 2019 but became more active in November. \r\nThat's when the media-savvy operation revolutionized ransomware attacks by introducing a double-extortion tactic.\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nFirst, they steal your files, then encrypt them\r\nWhile ransomware operations have always enjoyed taunting news sites and researchers, for the most part, they tended to\r\nignore journalists' emails.\r\nThis changed in November 2019, when Maze contacted BleepingComputer to let us know that they stole the unencrypted\r\ndata for Allied Universal before encrypting them.\r\nMaze stated that if Allied didn't pay a ransom, their data would be publicly released. Ultimately, the ransom was not paid,\r\nand Maze released the stolen data.\r\nSoon after, Maze launched a 'Maze News' site that they use to publish non-paying victims' data and issue \"press releases\" for\r\njournalists who follow their activities.\r\nMaze data leak site\r\nThis double-extortion technique was quickly adopted by other large ransomware operations, including REvil, Clop,\r\nDoppelPaymer, who released their own data leak sites. This double-extortion technique has now become a standard tactic\r\nused by almost all ransomware operations.\r\nMaze continued to evolve ransomware operations by forming a ransomware cartel with Ragnar Locker and LockBit, to\r\nshare information and tactics.\r\nDuring their year and a half cybercrime spree, Maze has been responsible for attacks on notable victims,\r\nincluding Southwire, City of Pensacola, Canon, LG Electronics, Xerox, and many more. \r\nMaze started to shut down six weeks ago\r\nEarly last month, BleepingComputer began hearing rumors that Maze was getting ready to shut down their ransomware\r\noperation in a similar manner as GandCrab did in 2019.\r\nThe closing of operations was later confirmed after BleepingComputer was contacted by a threat actor involved in\r\nthe Barnes and Noble ransomware attack.\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/\r\nPage 3 of 5\n\nThis threat actor stated that they take part in ransomware attacks by compromising networks and stealing Windows domain\r\ncredentials. The compromised networks are then passed to affiliates who deploy the ransomware.\r\nThe group compromising networks, the affiliate, and ransomware developers then take equal shares of any ransom\r\npayments.\r\nAs part of our conversation, BleepingComputer was told that Maze was in the process of shutting down its operation, had\r\nstopped encrypting new victims in September 2020, and are trying to squeeze the last ransom payments from victims.\r\nBleepingComputer told that Maze is shut down\r\nWhen BleepingComputer reached out to Maze to confirm if they were shutting down, we were told, \"You should wait for\r\nthe press release.\"\r\nThis week, Maze has started to remove victims that they had listed on their data leak site. All that is left on the site are two\r\nvictims and those who previously and had all of their data published.\r\nThe cleaning up of the data leak site indicates that the ransomware operation's shutdown is imminent.\r\nIt is not uncommon for ransomware operations to release the master decryption keys when they shut down their operation,\r\nas was done with Crysis, TeslaCrypt, and Shade.\r\nBleepingComputer has reached out to Maze to ask if they will release their keys when they shut down their operation but\r\nhave not heard back.\r\nAffiliates move to Egregor ransomware\r\nBleepingComputer has learned that many Maze affiliates have switched over to a new ransomware operation called Egregor.\r\nEgregor began operating in the middle of September, just as Maze started shutting down their encryption operation. It\r\nquickly became very active, as seen by the ID-Ransomware submission graph below.\r\nEgregor submissions graph to ID-Ransomware\r\nEgregor is believed to be the same underlying software as both Maze and Sekhmet as they utilize the same ransom notes,\r\nsimilar payment site naming, and share much of the same code.\r\nThis was also confirmed by a ransomware threat actor who stated that Maze, Sekhmet, and Egregor were the same software.\r\nRansomware expert Michael Gillespie, who analyzed both Egregor and Sekhmet, also found that Egregor victims who paid\r\na ransom were sent decryptors that were titled 'Sekhmet Decryptor.'\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/\r\nPage 4 of 5\n\nEgregor decryptor\r\nUnfortunately, this shows that even when a ransomware operation shuts down, it does not mean the threat actors involved\r\nretire as well. They just move to the next ransomware operation.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/"
	],
	"report_names": [
		"maze-ransomware-is-shutting-down-its-cybercrime-operation"
	],
	"threat_actors": [],
	"ts_created_at": 1775434368,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50aa0848ea2ebb59bd906a96e6f9241a9cc0c485.pdf",
		"text": "https://archive.orkl.eu/50aa0848ea2ebb59bd906a96e6f9241a9cc0c485.txt",
		"img": "https://archive.orkl.eu/50aa0848ea2ebb59bd906a96e6f9241a9cc0c485.jpg"
	}
}