Maze operators claim they are shutting down

FBI Director Christopher Wray participates in a discussion with Brookings Institute security analyst Susan Hennessey during the RSA Conference on March 5, 2019, in San Francisco, California. As recently as January, the FBI has warned the private sector of the so-called Maze ransomware group. (FBI)

One of the most powerful ransomware cartels on the web claims they are shutting down operations.

In a bizarre open letter posted to their public website and dated Nov. 1, representatives from the group claimed in broken English that their “project” is “officially closed,” and that the group never had any partners and doesn’t plan to bless any successor groups in the future.

“All the links to ou[r] project, using of our brand, our work methods should be considered to be a scam,” the letter said. “We never had partners or official successors. Our specialists do not works with any other software. Nobody and never will be able to host new partners at our news website. The Maze cartel was never exists and is not existing now. It can be found only inside the heads of the journalists who wrote about it.”

In an unsurprising twist, Maze group claims that the primary purpose of its work all along was not to extort businesses, schools and critical infrastructure out of millions of dollars for their own profit, but rather to “remind you about secure data storage" and fight against the way “our world is sinking into recklessness and indifference” due to poor cybersecurity practices. They claim to have had access to major internet providers and “state life support systems” in New York and other states but opted not to use that access to cause carnage.

The letter gets progressively more bizarre, warning that the rising value and consolidation of cryptocurrencies like Bitcoin will lead to “digital detention camps,” DNA or tracking chips placed inside the population and widespread measures of social control.

“You are calling the ones who are killing your mind as your friends and support. And you also calling the ones who are showing you your weakness as the foes and mobsters. The modern world is confusing the cause and the effect, the good and the evil,” they wrote.

Few expect Maze to truly close down operations, and the group itself warns it “will be back to you when the world is transformed.”

Bleeping Computer first reported on the Maze letter.

Allan Liska, an intelligence analyst at Recorded Future who specializes in ransomware, told SC Media that nobody should take the Maze claims at face value. Ransomware groups sometimes go quiet or retool if they think or know law enforcement is on their tail, and he cited similar actions by another ransomware group, GrandCrab, who last year “retired” before returning in September.

“Their whole message is a load of crap,” said Liska. “I don't know why they are shutting down at this time, but they have been moving operations over to Egregor for several months.”

While the group has been winding down for weeks, the announcement comes a week after widespread attacks against U.S. and European hospitals by another ransomware family, Ryuk, resulted in a massive public backlash. The scope and brazenness of the attack shocked even veteran cybersecurity professionals and raised new questions about whether more aggressive actions or authorities are needed to prevent such groups from hitting public health infrastructure in the middle of a global pandemic.

It also comes during a banner year for ransomware that has raised the profile of these criminal groups to new heights and attracted increased law enforcement attention. Maze Group has been one of the most notorious leaders of the pack, partnering with other criminal hackers and malware developers to share tools and profits from successful compromises. It has also helped to pioneer a cartel-like structure and “double extortion” tactics that have since been mimicked by others. According to analysis by FireEye, over 100 Maze victims have been reported over just the past year alone, hitting nearly every geographic region and industrial sector.

“We have observed a decline in Maze infections and leaks recently,” said Adam Meyers, vice president of intelligence at CrowdStrike. The group may be looking to avoid potential law enforcement by closing up shop, he said, or there could be a rift within the criminal group. If the former, "They may reestablish themselves under a different name."

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.