The “Maze” Ransomware Operation Is Closing Shop After a Successful Year

Last updated September 28, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

According to rumors that circulate the dark web alleys, the “Maze” ransomware group is preparing to wrap up its operations and shut down all channels of activity. This process has been taking place for six weeks already, and indeed, Maze’s activity has waned recently.

The data leak site also seems to be undergoing a cleaning process, with victim entries and files being removed. Bleeping Computer did an investigation on these rumors and confirmed that Maze is soon to make the shutdown official via a relevant press release.

Maze has had a very successful year and a pretty active summer, so seeing it readying to stop here is weird, to say the least. The particular group followed the catastrophic encryption-stealing combination technique that leveled-up extortion in 2020. This approach is now a standard among all notorious ransomware groups, but Maze was among those who pioneered it.

A potential explanation for this move is that Maze has had its source or its keys leaked, a high-ranking hacker or operator fears identity exposure, or there has been an event that brought discord in the core team. Or even more likely, Maze has made all the money they can use in their lives, so this is the time to say goodbye and disappear. Whatever the reasons for the shutdown are, they will remain a mystery until the relevant announcement is out. Even then, we may not get to know the specifics.

As for what happens with those who participated in the Maze ransomware operations, they are not expected to seek “real jobs” now. Instead, experts in the field believe that they will hop to “Egregor,” a rising ransomware operation that also involves Russian-speaking hackers. We should also not forget about the “SunCrypt,” which is actually part of the Maze cartel. Hackers moving around is always what happens when a RaaS operation calls it a day, so we expect to see nothing different this time.

If you are dealing with a Maze infection on your computer or network, this is a time to be patient. Usually, when ransomware operations officially end, the hackers release the relevant master keys to the public so that everyone can decrypt their files for free.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: