{
	"id": "32fc8f78-8912-45b2-9bd0-d3aa6f910b85",
	"created_at": "2026-04-06T03:37:55.052261Z",
	"updated_at": "2026-04-10T13:12:51.084579Z",
	"deleted_at": null,
	"sha1_hash": "52c1e4f7061d4071550f6a480d4dbc434d10fd41",
	"title": "A Deep Dive Into the Latest Maze Ransomware TTPs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 84039,
	"plain_text": "A Deep Dive Into the Latest Maze Ransomware TTPs\r\nBy Laurie Iacono\r\nPublished: 2020-05-05 · Archived: 2026-04-06 03:20:29 UTC\r\nWith the recent attack on a Fortune 500 IT service provider, Maze ransomware is back in the news. Kroll incident\r\nresponse (IR) practitioners worked on multiple Maze ransomware cases during the first quarter of 2020 and have\r\nnew insights on the tactics, techniques and procedures (TTPs) of these actors and why organizations should revisit\r\ntheir IR plans. \r\nIn our work with one client, Kroll had access to a discussion with Maze actors that revealed some of their inner\r\nworkings. Coupled with the new FAQ document that Maze recently posted on their “shaming” site, it becomes\r\napparent these threat actors are leaving nothing to chance when pressuring victims to pay up quickly.\r\nOrganizations should heed some of the claims and threatened reprisals for nonpayment as they provide direction\r\nfor updates to existing incident response plans in the event of such attacks. Consider a few of their claims and\r\nthreats:\r\nOnce in a system, Maze ransomware actors continuously download anywhere from 100gb to 1tb of data\r\nspecifically focusing on proprietary or sensitive data that can be used as the basis for regulatory action,\r\nlawsuits or ultimately maximize pressure to pay the ransom. \r\nActors use tools such as credential-harvesting malware Mimikatz and network reconnaissance software\r\nAdvanced IP Scanner to facilitate lateral movement throughout the network.\r\nThey actively look for and leverage known vulnerabilities, such as the Pulse VPN CVE-2019-11510 alert,\r\nto compromise targets.\r\nIf the victim doesn’t pay the ransom, the threat actors will immediately send a prepared press release to the\r\nmedia in addition to releasing the information on their “shaming” site. If the victim is a publicly traded\r\ncompany, the actors will also send the release to the stock exchange where the victim’s stock is listed. \r\nMaze claims that credentials harvested from non-paying victims will be used for attacks against the\r\nvictims’ partners and clients.\r\nhttps://www.kroll.com/en/insights/publications/cyber/latest-maze-ransomware-ttps\r\nPage 1 of 3\n\nRepresentative Maze Attack Scenarios\r\nAs these examples of recent Kroll case work show, no industry sector is safe and actors hunt for data that can\r\ninflict the most reputational and regulatory damage.\r\nA healthcare client learned that Maze threat actors sent emails directly to their patients threatening to\r\nexpose their personal health data.\r\nMaze operators told a mortgage company they had 24 hours to pay the ransom or Maze would release their\r\ndata. The client reported that about two weeks prior, their email system had gone down and were told by\r\ntheir IT vendor that they had a virus. In retrospect, the client believed their server was breached in this\r\nincident.\r\nA realty company started seeing viruses hit their domain environment and a remote access tool was placed\r\nby a new user account as a database administrator. The client could restore from backups and did not pay\r\nthe ransom. Maze posted their data on their shaming site about three weeks after the attack.\r\nAn insurance broker was alerted of a server failure early one morning, but the servers were restored later\r\nthat day. The client’s initial investigation showed that actors had logged into the server with elevated\r\nprivileges using the chief operating officer’s credentials and pushing a password change. Two days later,\r\nfiles were encrypted and they received a ransom note threatening to release their data.\r\nAccording to Coveware, a ransomware recovery first responder, Maze initial ransomware demands are close to\r\nUSD 2.3 million, second only to those demanded for Ryuk ransomware. The average final ransom amount is\r\ncloser to USD 1 mn after negotiation, indicating a roughly 55% discount through negotiation. \r\nIncident Response Planning for Ransomware and PR Attacks \r\nKroll has shared numerous best practices on how to avoid becoming a victim of ransomware. Likewise, we have\r\ndescribed what to do first if an attack does succeed.  \r\nA new concern for organizations, however, is that the Maze ransomware operators have intensely compressed the\r\ndecision making process. Organizations in the past could somewhat control how and when to disclose the details\r\nof a suspected data breach. In many cases, organizations need time to ascertain the true extent of a reportable data\r\nbreach and implement support mechanisms to meet the needs of affected consumers.\r\nNow, with ransomware actors reaching out directly to an organization’s customers, the media and regulatory\r\nagencies, victim organizations must be prepared to act decisively and immediately. \r\nOrganizations should explicitly build their IR plans with ransomware-specific policies and procedures.\r\nAdditionally, the organization should have already established its stance on paying or negotiating ransoms,\r\nas well as authorized decision makers for the process.\r\nTo get a true sense of the pressure and gaps that could arise in a ransomware attack, organizations should\r\nalso include ransomware scenarios in their IR plan tabletop exercises.  \r\nAre You Ready for Ransomware? \r\nhttps://www.kroll.com/en/insights/publications/cyber/latest-maze-ransomware-ttps\r\nPage 2 of 3\n\nAs Kroll’s casework has proved, every organization can be a target for ransomware cybercriminals. Kroll has\r\ndeveloped a Ransomware Preparedness Assessment that can help your organization better understand your unique\r\nvulnerabilities and how to avoid or mitigate ransomware harms. Call us today to learn more.\r\nSource: https://www.kroll.com/en/insights/publications/cyber/latest-maze-ransomware-ttps\r\nhttps://www.kroll.com/en/insights/publications/cyber/latest-maze-ransomware-ttps\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.kroll.com/en/insights/publications/cyber/latest-maze-ransomware-ttps"
	],
	"report_names": [
		"latest-maze-ransomware-ttps"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446675,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/52c1e4f7061d4071550f6a480d4dbc434d10fd41.pdf",
		"text": "https://archive.orkl.eu/52c1e4f7061d4071550f6a480d4dbc434d10fd41.txt",
		"img": "https://archive.orkl.eu/52c1e4f7061d4071550f6a480d4dbc434d10fd41.jpg"
	}
}