{
	"id": "0eb168d4-2255-41f5-9521-63fd91627508",
	"created_at": "2026-04-06T00:08:09.270456Z",
	"updated_at": "2026-04-10T03:24:29.60384Z",
	"deleted_at": null,
	"sha1_hash": "835547e7bf5f502c48d890cf4b549c5da7d1b127",
	"title": "Maze: the ransomware that introduced an extra twist | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 451979,
	"plain_text": "Maze: the ransomware that introduced an extra twist |\r\nMalwarebytes Labs\r\nBy Pieter Arntz\r\nPublished: 2020-05-28 · Archived: 2026-04-05 19:10:07 UTC\r\nAn extra way to create leverage against victims of ransomware has been introduced by the developers of the Maze\r\nransomware. If the victim is not convinced that she should pay the criminals because her files are encrypted, there\r\ncould be an extra method of extortion. Over time, more organizations have found ways to keep safe copies of their\r\nimportant files or use some kind of rollback technology to restore their systems to the state they were in before the\r\nattack.\r\nTo have some leverage over these organizations, the ransomware attackers steal data from the infiltrated system\r\nwhile they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay.\r\nDepending on the kind of data, this can be a rather compelling reason to give in.\r\nMaze introduces leaked data\r\nIn the last quarter of 2019, Maze’s developers introduced this new extortion method. And, as if ransomware alone\r\nwasn’t bad enough, since the introduction of this methodology, many other ransomware peddlers have started to\r\nadopt it. The most well-known ransomware families besides Maze that use data exfiltration as a side-dish for\r\nransomware are Clop, Sodinokibi, and DoppelPaymer.\r\nThe dubious honor of being noted as the first victim went to Allied Universal, a California-based security services\r\nfirm. Allied Universal saw 700MB of stolen data being dumped after they refused to meet the ransom demand set\r\nby Maze. Nowadays, most of the ransomware gangs involved in this double featured attack have dedicated\r\nwebsites where they threaten to publish the data stolen from victims that are reluctant to pay up.\r\nCharacteristics of Maze ransomware\r\nMaze ransomware was developed as a variant of ChaCha ransomware and was initially discovered by\r\nMalwarebytes Director of Threat Intelligence Jérôme Segura in May of 2019. Since December of 2019, the gang\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist/\r\nPage 1 of 5\n\nhas been very active making many high profile victims in almost every vertical: finance, technology,\r\ntelecommunications, healthcare, government, construction, hospitality, media and communications, utilities and\r\nenergy, pharma and life sciences, education, insurance, wholesale, and legal.\r\nThe main forms of distribution for Maze are:\r\nmalspam campaigns utilizing weaponized attachments, mostly Word and Excel files\r\nRDP brute force attacks\r\nInitially Maze was distributed through websites using an exploit kit such as the Fallout EK and Spelevo EK,\r\nwhich has been seen using Flash Player vulnerabilities. Maze ransomware has also utilized exploits against Pulse\r\nVPN, as well as the Windows VBScript Engine Remote Code Execution Vulnerability to get into a network.\r\nNo matter which method was used to gain a foothold in the network, the next step for the Maze operators is to\r\nobtain elevated privileges, conduct lateral movement, and begin to deploy file encryption across all drives.\r\nHowever, before encrypting the data, these operators are known to exfiltrate the files they come across. These files\r\nwill then be put to use as a means to gain extra leverage, threatening with public exposure.\r\nMAZE uses two algorithms to encrypt the files, ChaCha20 and RSA. After encryption the program appends a\r\nstring of random 4-7 characters at the end of each file. When the malware has finished encrypting all the targeted\r\nfiles it changes the desktop wallpaper to this image:\r\nIn addition, a voice message is played to the user of the affected system, alerting them of the encryption.\r\nIOCs for Maze ransomware\r\nMaze creates a file called DECRYPT-FILES.txt in each folder that contains encrypted files. It skips some folders\r\namong which are:\r\n• %windir%\r\n• %programdata%\r\n• Program Files\r\n• %appdata%local\r\nIt also skips all the files of the following types:\r\n• dll\r\n• exe\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist/\r\nPage 2 of 5\n\n• lnk\r\n• sys\r\nThis ransom note called DECRYPT-FILES.txt contains instructions for the victim:\r\nThey then promise that:\r\nAfter the payment the data will be removed from our disks and decryptor will be given to you, so you\r\ncan restore all your files.\r\nSHA 256 hashes:\r\n19aaa6c900a5642941d4ebc309433e783befa4cccd1a5af8c86f6e257bf0a72e \r\n6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist/\r\nPage 3 of 5\n\n9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1\r\nb950db9229db2f37a7eb5368308de3aafcea0fd217c614daedb7f334292d801e\r\nProtection\r\nMalwarebytes protects users with a combination of different layers including one that stops the attack very early\r\non and is completely signature-less.\r\nBesides using Malwarebytes, we also recommend to:\r\nDeny access to Public IPs to important ports (RDP port 3389).\r\nAllow access to only IPs which are under your control.\r\nAlong with blocking RDP port, we also suggest blocking SMB port 445. In general, it is advised to block\r\nunused ports.\r\nApply the latest Microsoft update packages and keep your Operating system and antivirus fully updated.\r\nPayments\r\nWhile our advice as always is not to pay the criminals since you are keeping their business model alive by doing\r\nso, we do understand that missing crucial files can be a compelling reason to pay them anyway. And with the new\r\ntwist of publishing exfiltrated data that the Maze operators introduced, there is an extra reason at hand. Throwing\r\nconfidential data online has proven to be an effective extra persuasion as many organizations can’t afford to have\r\nthem publicly available.\r\nStay safe, everyone!\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist/\r\nPage 4 of 5\n\nAbout the author\r\nWas a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich\r\nmahogany and leather-bound books.\r\nSource: https://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist/\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist/"
	],
	"report_names": [
		"maze-the-ransomware-that-introduced-an-extra-twist"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434089,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/835547e7bf5f502c48d890cf4b549c5da7d1b127.pdf",
		"text": "https://archive.orkl.eu/835547e7bf5f502c48d890cf4b549c5da7d1b127.txt",
		"img": "https://archive.orkl.eu/835547e7bf5f502c48d890cf4b549c5da7d1b127.jpg"
	}
}