Reports claim that the Maze ransomware group is shutting down its service soon. Since September this year, the group has stopped attacking any new targets and has been deleting the victims from its leak site.
This was tipped by a threat actor to BleepingComputer and is yet to be confirmed by the Maze group. Further, the current affiliates of the Maze group are fleeing to the Egregor ransomware group.
Maze Ransomware Ceasing Business
Maze ransomware group has grown to be one of the highly recognized names in the cybercrime space. The group’s track record contains notable names like the LG, Xerox, San Antonio Aerospace, Banco BCR, Allied Universal, etc. Its remarkable achievement is the invention of a double-coercion strategy, where it threatens the victim with more control.
Changing the mode of ransomware attacks, the Maze group started stealing the targets’ sensitive data before encrypting them. This gives them an edge of pushing the victim’s more to pay them.
Having sensitive data in hand means threatening them to pay the ransom in a more demanding way. If the victim fails to pay the ransom in time, they’d then publish them openly on the internet.
This method was soon followed by other ransomware groups like REvil, Ryuk, Mount Locker, Clop, etc. After popularising such techniques, the Maze group is rumored to shut down from its business. This was tipped by a threat actor involved in the Barnes & Noble attack, where he informed BleepingComputer that Maze is going null soon.
Further, a question regarding this by BleepingComputer to Maze ransomware group directly has garnered a response as “You should wait for the press release.” Well, it’s observed that Maze has been delisting the victims from its leak site, hinting the closure is imminent. As of now, there is were only two victims and others who had their data published on the leak site.
It’s also reported that the Maze group’s current affiliates are now shifting to new groups as Egregor and Sekhmet, which has been rising recently when Maze lost its pace. It’s common for ransomware operators to pull down the name and move onto new groups of the same activity. But, it’s just interesting to see if they dump the free decryptors as others when closed.