{
	"id": "388d744a-86ee-4b36-b961-bf5992711bb4",
	"created_at": "2026-04-06T00:07:40.545621Z",
	"updated_at": "2026-04-10T13:12:50.576671Z",
	"deleted_at": null,
	"sha1_hash": "c79797ed34505419cbf5c46f566cec8167f427ca",
	"title": "Maze Ransomware is Dead. Or is it? | Webroot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42448,
	"plain_text": "Maze Ransomware is Dead. Or is it? | Webroot\r\nBy Justine Kurtz\r\nPublished: 2021-01-13 · Archived: 2026-04-05 17:47:11 UTC\r\n“It’s definitely dead,” says Tyler Moffitt, security analyst at Carbonite + Webroot, OpenText companies. “At\r\nleast,” he amends, “for now.”\r\nMaze ransomware, which made our top 10 list for Nastiest Malware of 2020 (not to mention numerous headlines\r\nthroughout the last year), was officially shut down in November of 2020. The ransomware group behind it issued\r\na kind of press release, announcing the shutdown and that they had no partners or successors who would be taking\r\nup the mantle. But before that, Maze had been prolific and successful. In fact, shortly before the shutdown, Maze\r\naccounted for an estimated 12% of all successful ransomware attacks. So why did they shut down?\r\nI sat down with Tyler to get his take on the scenario and find out whether Maze is well and truly gone.\r\nWhy do you think Maze was so successful?\r\nMaze had a great business model. They were the group that popularized the breach leak/auction website. So, they\r\ndidn’t just steal and encrypt your files like other ransomware; they threatened to expose the data for all to see or\r\neven sell it at auction.\r\nWhy was this shift so revolutionary?\r\nThe Maze group tended to target pretty huge organizations with 10,000 employees or more. Businesses that big\r\nare likely to have decent backups, so just taking the data and holding it for ransom isn’t much of an incentive.\r\nNow think about this: those huge businesses also would’ve been subject to pricey fines for data breaches because\r\nof regulations like GDPR; and they’re also more likely to have big budgets to pay a ransom. So, instead of simply\r\nsaying, “we have your data, pay up,” they said, “we have your data and if you don’t pay, we’ll expose it to the\r\nworld – which includes the regulators and your customers.” Most of the time, paying the ransom is going to be the\r\nmore cost effective (and less embarrassing) option. We don’t know if the Maze group invented this tactic, but they\r\ndefinitely set the trend, and a bunch of other ransomware groups started following it.\r\nOther than the leak sites, did they do anything else noteworthy or different from other groups?\r\nOne of the bigger threat trends we saw in 2020 was malware groups partnering up for different pieces of the\r\ninfection chain, such as Trojans, backdoors, droppers, etc. The botnet Emotet, for example, was responsible for a\r\nhuge percentage of ransomware infections from various different groups. Maze, however, was pretty self-contained. We saw them working with a few other groups throughout 2020, but they had their own malspam\r\ncampaign for delivery and everything else they needed in-house, so to speak. They were like a one-stop shop.\r\nDo you think the move to remote work during the pandemic contributed to their success?\r\nhttps://www.webroot.com/blog/2021/01/13/maze-ransomware-is-dead-or-is-it/\r\nPage 1 of 3\n\nAbsolutely, though you could say that about any ransomware group. Phishing and RDP attacks really ramped up\r\nwhen people started working from home. Home networks and personal devices are generally much less secure\r\nthan corporate ones, and cybercriminals are always looking for ways to exploit a given situation for their gain.\r\nIf Maze was doing so well, why did they shut down?\r\nProbably because they’d gotten too much attention. The more notoriety you get, the harder it is to operate. We see\r\nthis with a lot of malware groups. They shut down for a while, either to lie low because the heat is on, or to just\r\nspend the money they’ve gotten from their payouts and enjoy life. Or, sometimes, they don’t lie low at all but just\r\nrebrand themselves under a new name. Either way, they tend to come back. For example, a ransomware variant\r\ncalled Ryuk went dark and came back as Conti. Emotet went away for a long time too and then came back under\r\nthe same group name.\r\nHow can you tell when an old group has rebranded?\r\nUnless they announce it in some way, the only way to really tell is if you can get a sample of the malware and\r\nreverse engineer it and look at the code. One of our threat researchers did that with a sample of Sodinokibi and\r\ndiscovered it had “GandCrab version 6” in its code. So, that’s an example of a rebrand, but it can be hard to spot.\r\nDo you think Maze is done for good?\r\nNot a chance. They attacked huge targets and got massive payouts. Most ransomware groups attack smaller\r\nbusinesses who are less likely to have strong enough security measures. Even the ones that targeted larger\r\ncorporations, like Ryuk, still attacked businesses one-fifth the size of a typical Maze target. Now, the Maze group\r\ncan relax and take a lavish vacation with all the money they got. But I’d be pretty shocked if they just abandoned\r\nsuch a winning business model entirely.\r\nThe verdict: Maze may be gone for now, but experts are fairly certain we haven’t seen the last of this virulent and\r\nhighly successful malware group. In the meantime, Tyler advises businesses everywhere to use the lull as an\r\nopportunity to batten down their cyber resilience strategies by implementing layered security measures, locking\r\ndown RDP, and educating employees on cybersecurity and risk avoidance.\r\nStay tuned for more ransomware developments right here on the Webroot blog.\r\nJustine Kurtz\r\nAbout the Author\r\nJustine Kurtz\r\nSenior Copywriter\r\nJustine Kurtz has crafted the voice of Webroot for nearly a decade. As senior copywriter, she partners with clients\r\nacross the organization (and the globe) to communicate the value Webroot solutions bring to businesses,\r\nconsumers, and technology partners alike.\r\nhttps://www.webroot.com/blog/2021/01/13/maze-ransomware-is-dead-or-is-it/\r\nPage 2 of 3\n\nSource: https://www.webroot.com/blog/2021/01/13/maze-ransomware-is-dead-or-is-it/\r\nhttps://www.webroot.com/blog/2021/01/13/maze-ransomware-is-dead-or-is-it/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.webroot.com/blog/2021/01/13/maze-ransomware-is-dead-or-is-it/"
	],
	"report_names": [
		"maze-ransomware-is-dead-or-is-it"
	],
	"threat_actors": [],
	"ts_created_at": 1775434060,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c79797ed34505419cbf5c46f566cec8167f427ca.pdf",
		"text": "https://archive.orkl.eu/c79797ed34505419cbf5c46f566cec8167f427ca.txt",
		"img": "https://archive.orkl.eu/c79797ed34505419cbf5c46f566cec8167f427ca.jpg"
	}
}