Maze Ransomware
What is Maze Ransomware?
Maze RansomwareA 2019-2020 ransomware operation that pioneered double-extortion, encrypting victims while threatening to publish stolen data on a dedicated leak site.
Maze was a ransomware operation active from 2019 to mid-2020 that pioneered the double-extortion model now standard across the industry: operators encrypted files and threatened to publish stolen data on a dedicated leak site unless the victim paid. Notable victims included Cognizant, Canon, Xerox and the city of Pensacola. Maze affiliates exploited weak RDP, phishing and known vulnerabilities for initial access, leveraged Cobalt Strike for hands-on operations, and used the leak site to pressure victims and shame non-payers. The crew formally retired in November 2020; many affiliates and tooling moved to Egregor and Sekhmet, perpetuating the model.
● Examples
- 01
Cognizant publicly discloses a Maze infection that cost more than 50 million USD in remediation and lost revenue.
- 02
An organization preemptively publishes its own breach details to nullify Maze's leverage on the leak site.
● Frequently asked questions
What is Maze Ransomware?
A 2019-2020 ransomware operation that pioneered double-extortion, encrypting victims while threatening to publish stolen data on a dedicated leak site. It belongs to the Malware category of cybersecurity.
What does Maze Ransomware mean?
A 2019-2020 ransomware operation that pioneered double-extortion, encrypting victims while threatening to publish stolen data on a dedicated leak site.
How does Maze Ransomware work?
Maze was a ransomware operation active from 2019 to mid-2020 that pioneered the double-extortion model now standard across the industry: operators encrypted files and threatened to publish stolen data on a dedicated leak site unless the victim paid. Notable victims included Cognizant, Canon, Xerox and the city of Pensacola. Maze affiliates exploited weak RDP, phishing and known vulnerabilities for initial access, leveraged Cobalt Strike for hands-on operations, and used the leak site to pressure victims and shame non-payers. The crew formally retired in November 2020; many affiliates and tooling moved to Egregor and Sekhmet, perpetuating the model.
How do you defend against Maze Ransomware?
Defences for Maze Ransomware typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Maze Ransomware?
Common alternative names include: Maze Team, ChaCha ransomware.
● Related terms
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
- defense-ops№ 193
Cobalt Strike
A commercial adversary-simulation platform widely used for red-team operations and frequently abused by threat actors for post-exploitation and command-and-control.