The infamous Maze ransomware group has announced that it is shutting down operations, but how serious it is and for how long remains open to speculation.

The announcement came via a statement on the dark web that claimed that “Maze Team Project is announcing it is officially closed. All the links to out [sic] project, using of our brand, our work methods should be considered to be a scam.”

Much of the statement is barely literate and at times does not make sense, but among other claims made by the group is that it never actually existed and that it could “be found only inside the heads of the journalists who wrote about it.”

#Maze #ransomware gang quits the cybercrime business#cybersecurity #databreach #infosec #cybercrime #infosec #cyberattack #darkweb #privacy #cybercrimes #informationsecurity #security #cybercrimes #malware #phishing pic.twitter.com/Fu28TykMz5

— Inder Barara (@inderbarara) November 2, 2020

The idea that Maze never existed is spurious; at best it could possibly argue that it never existed as a formal group or cartel. Whatever form it took, Maze has been attributed to dozens of ransomware attacks. It’s particularly well-known for popularizing the publication of stolen data when ransoms are not paid. Previously ransomware attacks primarily focused on encrypting data rather than data theft and subsequent release.

Notable Maze victims include information technology solutions company Cognizant Technology Solutions Corp. in April, security company Chubb Group Holdings Inc. March 26 and Hammersmith Medicines Research Ltd., a company developing a COVID-19 vaccine that resulted in private data being revealed March 22.

Security researchers are naturally skeptical of the announcement.

“The group stated they would be back, so the Maze threat is likely not finished,” Jamie Hart, cyber threat intelligence analyst at digital risk firm Digital Shadows Ltd. told SiliconANGLE. “Although the official reason for the announcement is unknown, the ransomware market’s oversaturation may have motivated the group to cease operations. It’s also possible that this is a similar exit strategy we witnessed with GandCrab in 2019.”

Another variant may emerge to take Maze’s place, she added, since some operators have reportedly moved to the Egregor ransomware variant. Finally, she said, it may be moving away from Maze to improve operational security, decreasing the chance of being caught.

“The claim appears legitimate; the site is no longer hosting any new victim organizations, and all previously posted organizations have been archived,” Hart said. “The Maze Group has always referred to their victims as ‘clients’ as if they believed the victim organizations indirectly hired the group as security professionals. It appears the group thinks they are somehow helpful and that the ransom is simply a payment for their ‘help.'”

Lamar Bailey, senior director of security research at cybersecurity solutions company Tripwire Inc., noted that “criminals don’t just have an epiphany and quit being criminals overnight. They shut down an operation when the return on their investment drops below the costs of running the ‘program’ or when they are about to get caught. This is no different.”

Bailey suggested the group is simply switching to something new, such as Egrego. “This is just like that one furniture store in town that is going out of business every few months only to reopen with a new name but with the same people and product,” he said.

Photo: Marsroverdriver/Flickr