{
	"id": "c11346a1-d70a-4643-9aee-f94db79752df",
	"created_at": "2026-04-06T00:13:28.188968Z",
	"updated_at": "2026-04-10T13:11:39.106286Z",
	"deleted_at": null,
	"sha1_hash": "a7da4363ed71c57e18f71b9bf8fc9129044ee2fe",
	"title": "Life of Maze ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3662422,
	"plain_text": "Life of Maze ransomware\r\nBy Fedor Sinitsyn\r\nPublished: 2020-10-21 · Archived: 2026-04-05 19:26:44 UTC\r\nIn the past year, Maze ransomware has become one of the most notorious malware families threatening businesses\r\nand large organizations. Dozens of organizations have fallen victim to this vile malware, including LG, Southwire,\r\nand the City of Pensacola.\r\nThe history of this ransomware began in the first half of 2019, and back then it didn’t have any distinct branding –\r\nthe ransom note included the title “0010 System Failure 0010”, and it was referenced by researchers simply as\r\n‘ChaCha ransomware’.\r\nRansom note of an early version of Maze/ChaCha ransomware\r\nShortly afterwards, new versions of this Trojan started calling themselves Maze and using a relevantly named\r\nwebsite for the victims instead of the generic email address shown in the screenshot above.\r\nhttps://securelist.com/maze-ransomware/99137/\r\nPage 1 of 10\n\nWebsite used by a recent version of Maze ransomware\r\nInfection scenarios\r\nMass campaigns\r\nThe distribution tactic of the Maze ransomware initially involved infections via exploit kits (namely, Fallout EK\r\nand Spelevo EK), as well as via spam with malicious attachments. Below is an example of one of these malicious\r\nspam messages containing an MS Word document with a macro that’s intended to download the Maze\r\nransomware payload.\r\nhttps://securelist.com/maze-ransomware/99137/\r\nPage 2 of 10\n\nIf the recipient opens the attached document, they will be prompted to enable editing mode and then enable the\r\ncontent. If they fall for it, the malicious macro contained inside the document will execute, which in turn will\r\nresult in the victim’s PC being infected with Maze ransomware.\r\nhttps://securelist.com/maze-ransomware/99137/\r\nPage 3 of 10\n\nTailored approach\r\nhttps://securelist.com/maze-ransomware/99137/\r\nPage 4 of 10\n\nIn addition to these typical infection vectors, the threat actors behind Maze ransomware started targeting\r\ncorporations and municipal organizations in order to maximize the amount of money extorted.\r\nThe initial compromise mechanism and subsequent tactics vary. Some incidents involved spear-phishing\r\ncampaigns that installed Cobalt Strike RAT, while in other cases the network breach was the result of exploiting a\r\nvulnerable internet-facing service (e.g. Citrix ADC/Netscaler or Pulse Secure VPN). Weak RDP credentials on\r\nmachines accessible from the internet also pose a threat as the operators of Maze may use this flaw as well.\r\nPrivilege escalation, reconnaissance and lateral movement tactics also tend to differ from case to case. During\r\nthese stages, the use of the following tools has been observed: mimikatz, procdump, Cobalt Strike, Advanced IP\r\nScanner, Bloodhound, PowerSploit, and others.\r\nDuring these intermediate stages, the threat actors attempt to identify valuable data stored on the servers and\r\nworkstations in the compromised network. They will then exfiltrate the victim’s confidential files in order to\r\nleverage them when negotiating the size of the ransom.\r\nAt the final stage of the intrusion, the malicious operators will install the Maze ransomware executable onto all the\r\nmachines they can access. This results in the encryption of the victim’s valuable data and finalizes the attack.\r\nData leaks/doxing\r\nMaze ransomware was one of the first ransomware families that threatened to leak the victims’ confidential data if\r\nthey refused to cooperate.\r\nIn fact, this made Maze something of a trendsetter because this approach turned out to be so lucrative for the\r\ncriminals that it’s now become standard for several notorious ransomware gangs, including REvil/Sodinokibi,\r\nDoppelPaymer, JSWorm/Nemty/Nefilim, RagnarLocker, and Snatch.\r\nThe authors of the Maze ransomware maintain a website where they list their recent victims and publish a partial\r\nor a full dump of the documents they have managed to exfiltrate following a network compromise.\r\nhttps://securelist.com/maze-ransomware/99137/\r\nPage 5 of 10\n\nWebsite with leaked data published by Maze operators\r\nRansomware cartel\r\nIn June 2020, the criminals behind Maze teamed up with two other threat actor groups, LockBit and\r\nRagnarLocker, essentially forming a ‘ransomware cartel’. The data stolen by these groups now gets published on\r\nthe blog maintained by the Maze operators.\r\nIt wasn’t just the hosting of exfiltrated documents where the criminals pooled their efforts – apparently they are\r\nalso sharing their expertise. Maze now uses execution techniques that were previously only used by\r\nhttps://securelist.com/maze-ransomware/99137/\r\nPage 6 of 10\n\nRagnarLocker.\r\nBrief technical overview\r\nThe Maze ransomware is typically distributed as a PE binary (EXE or DLL depending on the specific scenario)\r\nwhich is developed in C/C++ and obfuscated by a custom protector. It employs various tricks to hinder static\r\nanalysis, including dynamic API function imports, control flow obfuscation using conditional jumps, replacing\r\nRET with JMP dword ptr [esp-4], replacing CALL with PUSH + JMP, and several other techniques.\r\nTo counter dynamic analysis, this Trojan will also terminate processes typically used by researchers, e.g. procmon,\r\nprocexp, ida, x32dbg, etc.\r\nThe cryptographic scheme used by Maze consists of several levels:\r\nTo encrypt the content of the victim’s files, the Trojan securely generates unique keys and nonce values to\r\nuse with the ChaCha stream cipher;\r\nThe ChaCha keys and nonce values are encrypted by a session public RSA-2048 key which is generated\r\nwhen the malware is launched;\r\nThe session private RSA-2048 key is encrypted by the master public RSA-2048 key hardcoded in the\r\nTrojan’s body.\r\nThis scheme is a variation of a more or less typical approach used by developers of modern ransomware. It allows\r\nthe operators to keep their master private RSA key secret when selling decryptors for each individual victim, and\r\nit also ensures that a decryptor purchased by one victim won’t help others.\r\nWhen executing on a machine, Maze ransomware will also attempt to determine what kind of PC it has infected. It\r\ntries to distinguish between different types of system (‘backup server’, ‘domain controller’, ‘standalone server’,\r\netc.). Using this information in the ransom note, the Trojan aims to further scare the victims into thinking that the\r\ncriminals know everything about the affected network.\r\nhttps://securelist.com/maze-ransomware/99137/\r\nPage 7 of 10\n\nStrings that Maze uses to generate the ransom note\r\nFragment of the procedure that generates the ransom note\r\nHow to avoid and prevent\r\nRansomware is evolving day by day, meaning a reactive approach to avoid and prevent infection is not profitable.\r\nThe best defense against ransomware is proactive prevention because often it is too late to recover data once they\r\nhave been encrypted.\r\nThere are a number of recommendations that may help prevent attacks like these:\r\n1. 1 Keep your OS and applications patched and up to date.\r\n2. 2 Train all employees on cybersecurity best practices.\r\nhttps://securelist.com/maze-ransomware/99137/\r\nPage 8 of 10\n\n3. 3 Only use secure technology for remote connection in a company local network.\r\n4. 4 Use endpoint security with behavior detection and automatic file rollback, such asKaspersky Endpoint\r\nSecurity for Business.\r\n5. 5 Use the latest threat intelligence information to detect an attack quickly, understand what\r\ncountermeasures are useful, and prevent it from spreading.\r\nDetection\r\nKaspersky products protect against this ransomware, detecting it as Trojan-Ransom.Win32.Maze; it is blocked by\r\nBehavior-based Protection as PDM:Trojan.Win32.Generic.\r\nWe safeguard our customers with the best Ransomware Protection technologies.\r\nhttps://securelist.com/maze-ransomware/99137/\r\nPage 9 of 10\n\nTIP Cloud Sandbox report summary and execution map with mapping on MITRE ATT\u0026CK Framework\r\nIOCs\r\n2332f770b014f21bcc63c7bee50d543a\r\nCE3A5898E2B2933FD5216B27FCEACAD0\r\n54C9A5FC6149007E9B727FCCCDAFBBD4\r\n8AFC9F287EF0F3495B259E497B30F39E\r\nSource: https://securelist.com/maze-ransomware/99137/\r\nhttps://securelist.com/maze-ransomware/99137/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/maze-ransomware/99137/"
	],
	"report_names": [
		"99137"
	],
	"threat_actors": [],
	"ts_created_at": 1775434408,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7da4363ed71c57e18f71b9bf8fc9129044ee2fe.pdf",
		"text": "https://archive.orkl.eu/a7da4363ed71c57e18f71b9bf8fc9129044ee2fe.txt",
		"img": "https://archive.orkl.eu/a7da4363ed71c57e18f71b9bf8fc9129044ee2fe.jpg"
	}
}