{
	"id": "640ed048-5093-4cf9-ad45-0e9e80323295",
	"created_at": "2026-04-06T00:10:15.202163Z",
	"updated_at": "2026-04-10T03:20:27.618224Z",
	"deleted_at": null,
	"sha1_hash": "d763192482368eabd50969edac9c185d98563136",
	"title": "FBI Warns of Maze Ransomware Focusing on U.S. Companies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 945155,
	"plain_text": "FBI Warns of Maze Ransomware Focusing on U.S. Companies\r\nBy Ionut Ilascu\r\nPublished: 2020-01-03 · Archived: 2026-04-05 20:18:42 UTC\r\nOrganizations in the private sector received an alert from the F.B.I. about operators of the Maze ransomware focusing on\r\ncompanies in the U.S. to encrypt information on their systems after stealing it first.\r\nThe warning came less than a week after the Bureau warned about the LockerGoga and MegaCortex ransomware threats\r\ninfecting corporate systems.\r\nThe many tricks of Maze ransomware\r\nOn December 23, the F.B.I. shared with private businesses a Flash Alert seen by BleepingComputer to increase awareness\r\nabout Maze ransomware's increased targeting of institutions in the U.S.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-warns-of-maze-ransomware-focusing-on-us-companies/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fbi-warns-of-maze-ransomware-focusing-on-us-companies/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe warning is marked TLP: Green, meaning that it is not shareable via public distribution channels, and contains technical\r\ndetails to help organizations avoid falling victim to this threat.\r\nMaze has been operating since early 2019 at a global level but the \"FBI first observed Maze ransomware activity against US\r\nvictims in November 2019.\"\r\nFollowing a network breach, the threat actor first exfiltrates, or steals, company files before encrypting computers and\r\nnetwork shares. The actors then demand a victim-specific ransom in exchange for the decryption key.\r\nThe stolen data serves as leverage to force victims to pay the ransom, under the promise that it would be destroyed once the\r\nattackers get the money.\r\nMaze operators in the past have released data from victims that did not pay them. Two recent examples are the City of\r\nPensacola and Southwire, a manufacturer of cables and wires.\r\nAccording to the F.B.I. alert, the threat actors behind Maze ransomware use several methods to breach a network, which\r\ninclude fake cryptocurrency sites and malspam campaigns that impersonate government agencies and security vendors.\r\nThe malware was also seen distributed by exploit kits like Fallout in May 2019, and Spelevo in October 2019 exploiting\r\nunpatched vulnerabilities in Internet Explorer and Adobe Flash (CVE-2018-8174, CVE-2018-15982, and CVE-2018-4878).\r\n\"As of late November 2019, malicious cyber actors posing as government agencies or security vendors deployed Maze\r\nthrough phishing emails containing a macro-enabled Word document attachment. When the embedded macro was executed,\r\nMaze was downloaded and executed to infect the victim machine\" - Federal Bureau of Investigation\r\nThe F.B.I. does not recommend paying the ransom since this action does not guarantee the recovery of the encrypted files or\r\nthe destruction of the stolen data; it would only encourage the threat actors to attack other organizations.\r\nFBI wants the IoCs from victims\r\nProviding indicators of compromise (IoCs) from cyber attacks as soon as possible can help law enforcement in ongoing\r\ninvestigations. The name of the victim is not required in such cases but time is of essence; IoCs should be reported as soon\r\nas possible because their value in the investigation decreases at a fast rate.\r\nThe agency encourages victims to contact local field offices immediately after the discovery of a ransomware incident and\r\nprovide the following information:\r\nRecovered executable file\r\nCopies of the file or other documents suspected to be related to Maze\r\nComplete phishing email file with headers\r\nLive memory (RAM) capture\r\nImages of infected systems\r\nMalware samples\r\nNetwork and Host-Based Log files\r\nEmail addresses of the attackers\r\nA copy of the ransom note\r\nRansom amount and whether or not the ransom was paid\r\nBitcoin wallets used by the attackers\r\nBitcoin wallets used to pay the ransom (if applicable)\r\nTor sites used to contact the attackers\r\nNames of any other malware identified on your system\r\nCopies of any communications with attackers\r\nDocument use of the domains used for communication\r\nIdentification of website or forum where data was leaked\r\nhttps://www.bleepingcomputer.com/news/security/fbi-warns-of-maze-ransomware-focusing-on-us-companies/\r\nPage 3 of 4\n\nRecommended mitigations\r\nOrganizations can lower the chances of falling victim to a ransomware attack by working with up-to-date software, using\r\nmulti-factor authentication and strong passwords, and by separating the more important systems from the wider access\r\nnetwork.\r\nFurthermore, recovering from ransomware is easier and less expensive when a proper routing exists for creating backups\r\noffline and the integrity of the process is constantly under scrutiny.\r\nIf the attack already happened, the F.B.I. recommends the following mitigation steps:\r\nExecute a network-wide password reset\r\nScan system backups for registry persistence\r\nScan system backups for other malware infections, particularly IcedID banking Trojan, Trickbot, and/or Emotet\r\nAudit logs for unexpected network traffic and mitigate as needed\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fbi-warns-of-maze-ransomware-focusing-on-us-companies/\r\nhttps://www.bleepingcomputer.com/news/security/fbi-warns-of-maze-ransomware-focusing-on-us-companies/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fbi-warns-of-maze-ransomware-focusing-on-us-companies/"
	],
	"report_names": [
		"fbi-warns-of-maze-ransomware-focusing-on-us-companies"
	],
	"threat_actors": [],
	"ts_created_at": 1775434215,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d763192482368eabd50969edac9c185d98563136.pdf",
		"text": "https://archive.orkl.eu/d763192482368eabd50969edac9c185d98563136.txt",
		"img": "https://archive.orkl.eu/d763192482368eabd50969edac9c185d98563136.jpg"
	}
}