Maze Ransomware: In-Depth Analysis, Detection, and Mitigation

Since its discovery in 2019, Maze ransomware has consistently made headlines due to its infamous attacks on MSPs and its ability move laterally to other networks. Although this particular strain of ransomware has been used to attack businesses and governmental organizations, its attacks on MSPs are worrying since a single compromise can create a cascade effect on the MSP’s clients, their business partners, and so on.

Maze was reportedly shut down in 2020, but there still exist numerous similar ransomware strains posing threats to businesses around the world today. A deeper understanding of Maze ransomware may help organizations strengthen their cybersecurity defenses against similar types of ransomware attacks in the future. However, the best protection against ransomware in general typically comes in the form of an XDR solution with intelligent threat detecting capabilities.

Maze Ransomware

What Is Maze Ransomware?

Like other types of ransomware, Maze typically demands cryptocurrency payment in exchange for a decryption key to recover stolen data. However, like REvil ransomware, Maze ransomware also utilizes double extortion. If a victim refuses to pay the ransom, the threat actors behind the ransomware attack usually threaten to leak confidential data online. The ability of this malware strain to combine the negative effects of ransomware (e.g., reduced productivity and lost data) with the consequences of a data breach (e.g., privacy violations and data leaks) makes Maze ransomware a particularly concerning threat for organizations.

However, since Maze ransomware has been used to target a variety of organizations around the world and across industries, it can be difficult to pinpoint its potential targets.

The ransomware itself comes in the form of a 32 bits binary file, typically under the guise of an .exe or .dll file. Once the malware has been deployed, it encrypts user files and generates a ransomware payment demand. Additionally, Maze ransomware has been known to copy user data, create backdoors for continued access, and make attempts to spread within the network and beyond. The code itself is sophisticated, including obfuscation techniques intended to evade security techniques and teams.

Due to the wide variety of organizations hit by Maze ransomware, the FBI issued a specific warning against this type of ransomware and believes it is operated by several different groups.

Maze Ransomware History

Discovered in 2019 by Malwarebytes researcher Jerome Segura, Maze ransomware (also known as ChaCha) is believed to be another type of ransomware offered as Ransomware-as-a-Service. Since then, Maze ransomware has been used extensively as the final payload by many different actors around the world.

Maze ransomware is also known for popularizing the use of double extortion as part of its operations. In 2020, Maze operators notoriously began extorting companies; not just by encrypting files, but also through threatening to publish exfiltrated files online. However, in some cases, threat actors have also been known to sell stolen data even after collecting both fees, often without the target’s knowledge. Maze was one of the earliest adopters of this multi-pronged extortion approach, which is now commonplace.

The ransomware group that created Maze also operated a website where it listed recent victims and published stolen data and documents as proof of their attacks. Additionally, the Maze website often included social media links for sharing the stolen data.

At the end of 2020, the Maze ransomware group issued a statement announcing it was shutting down its operations and its website. The group stated that its attacks were intended to raise awareness of cybersecurity and that they had chosen not to execute attacks against high-profile targets such as the New York state government and several internet service providers (ISPs), even though they had access to their IT systems.

However, the Maze ransomware group may still be active under a different name, as is often the case with these types of threat actor groups.

What Is the Maze Ransomware Website?

As mentioned above, the Maze ransomware group operated a website on the dark web where they published a list of victims and posted exfiltrated data as proof of their successful attacks. The website also included social media links for sharing the stolen data.

When the Maze ransomware group announced that it was shutting down its operations in 2020, they also claimed that they would no longer be updating their website. In their announcement, the group said that any victims who wanted their data removed from the website could contact the group’s support chat to make the request.

What Does Maze Ransomware Target?

Maze ransomware typically targets large organizations, particularly those in the healthcare, financial, engineering, and government sectors. The technology industry has been heavily targeted by Maze ransomware as well.

Since Maze ransomware often targets MSPs, the attacks can spread to clients

How Does Maze Ransomware Work?

Maze ransomware spreads by exploiting vulnerabilities in the operating system or applications, sending malicious links or email attachments containing malicious code, or using brute force to guess passwords. The ransomware can also be spread through malicious websites, malicious advertisements, and exploits kits.  Specific exploits targeted by Maze ransomware include CVE-2019-11510 (Pulse Secure VPN) and CVE-2018-8174 (MIcrosoft Internet Explorer).

Maze Ransomware Technical Details

Maze operators often customize their payloads to improve stealth capability on target machines. For example, on systems running RabbitMQ, Maze operators will specifically spawn into the RabbitMQ processes to capitalize on the existing ‘infrastructure’. Maze operators have also been observed weaponizing the Java Updater mechanism for similar purposes. On April 17th, it was reported that a large enterprise-class, managed service provider (Cognizant) fell victim to a Maze ransomware attack. This particular campaign includes a signed DLL payload (kepstl32.dll). Upon infection, the trojan will drop a customized desktop image into %temp%, and then traverse the disk, encrypting supported file-types. A copy of the ransom instructions “DECRYPT-FILES.txt” is dropped into each folder containing encrypted files. As with previous variants of Maze, the trojan will attempt to inhibit recovery by deleting shadow copies via WMIC.exe (wmic.exe shadowcopy delete).


How to Detect Maze Ransomware

The SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with Maze.



In case you do not have SentinelOne deployed, detecting this ransomware requires a combination of technical and operational measures, which are designed to identify and flag suspicious activity on the network. This allows the organization to take appropriate action, and to prevent or mitigate the impact of the ransomware attack.

  1. Use antimalware software, or other security tools, which are capable of detecting and blocking known ransomware variants. These tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files or activities.
  2. Monitor network traffic, and look for indicators of compromise, such as unusual network traffic patterns, or communication with known command-and-control servers.
  3. Conduct regular security audits and assessments, to identify vulnerabilities in the network and the system, and to ensure that all security controls are in place and functioning properly.
  4. Educate and train employees on cybersecurity best practices, including how to identify and report suspicious emails, or other threats.
  5. Implement a robust backup and recovery plan, to ensure that the organization has a copy of its data, and can restore it in case of an attack.

Here  are several steps your organizations can take if you suspect a ransomware attack is undergoing on your network:

Disconnect infected devices from the network

To prevent the ransomware from spreading and to isolate the threat, it is important to disconnect infected devices from the network as soon as possible. This can be done by unplugging the device, or by disabling the network adapter, or by disconnecting the device from the network through the network switch or router.

Run a malware scan

To remove Maze ransomware, it is recommended to run a malware scan on the infected device using anti-malware software, such as antimalware or anti-ransomware. This will identify and remove the ransomware, as well as any other malware that may be present on the device.

Restore from backups

To recover the encrypted files, it is recommended to restore from backups, if available. This can be done by restoring the files from a recent backup or by using a backup system, such as a backup server or a cloud backup service.

Consult with experts

If the ransomware cannot be removed, or if the encrypted files cannot be restored, it may be necessary to consult with security experts, such as forensic experts or incident response teams. These experts can help to assess the damage, to restore systems, and to prevent future attacks.

How to Mitigate Maze Ransomware

  • The SentinelOne Singularity XDR Platform prevents Maze infections.
  • The SentinelOne Singularity XDR Platform will restore systems to their pre-infection state (via Repair or Rollback)

In case you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the risk of ransomware attacks:

  1. Educate employees: Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.
  2. Implement strong passwords: Organizations should implement strong, unique passwords for all user accounts, and should regularly update and rotate these passwords. Passwords should be at least 8 characters long, and should include a combination of uppercase and lowercase letters, numbers, and special characters.
  3. Enable multi-factor authentication: Organizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer of security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft Authenticator, or through the use of physical tokens or smart cards.
  4. Update and patch systems: Organizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices, as well as disabling any unnecessary or unused services or protocols.

Implement backup and disaster recovery: Organizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from ransomware attacks, or other disasters. This includes creating regular backups of all data and systems, and storing these backups in a secure, offsite location. The backups should be tested regularly, to ensure that they are working, and that they can be restored quickly and easily.

Purpose Built to Prevent Tomorrow’s Threats. Today.
Your most sensitive data lives on the endpoint and in the cloud. Protect what matters most from cyberattacks. Fortify every edge of the network with realtime autonomous protection.