Bleeping Computer Edition reportsthat the well-known ransomware Maze, which has existed since May 2019, is discontinued. It seems that the authors of Maze have decided to do the same as their “colleagues” who had created the GandCrab malware and closed development in the middle of last year did earlier.
Journalists remind that it was Maze operators who set a new trend among cybercriminals and were the first to use “double extortion”. So, in 2019, hackers began not only to encrypt the data of their victims, but also began to publish files stolen from the attacked companies if they opened to pay. Maze operators set up a special website for such "leaks", and soon other groups, including Sodinokibi, DopplePaymer, Clop, Sekhmet, Nephilim, Mespinoza, and Netwalker, followed suit, which also began to use the stolen data as additional leverage on victims.
Rumors about the completion of the work of Maze began to reach journalists back in September 2020. So, some time ago, an attacker who participated in the recent Barnes & Noble hack contacted Bleeping Computer.
The criminal said that he was engaged in ransomware attacks: hacking into company networks and stealing Windows domain credentials. Access to the compromised networks is then passed on to affiliates who are already deploying an ransomware on the victim's networks. Then such hackers, affiliates, and ransomware developers share the ransom received.
In a conversation with Bleeping Computer, the hacker said that Maze is stopping its work, and the creators of the malware have not undertaken encryption of new victims since September 2020, currently trying to get the remnants of ransoms from the companies affected by earlier.
When journalists tried to contact the Maze developers themselves, they replied that they would not comment on these rumors and advised them to "wait for the official press release." However, the publication notes that this week the operators of Maze began to clean up their "site of leaks", and currently there is only information about two victims of hackers, as well as data from companies that were previously published in full.
Often, after the completion of all operations, ransomware operators publish in the public domain all the keys necessary to decrypt data (for example, the creators of the malware Crysis, TeslaCrypt and Shade did this). Therefore, journalists from Bleeping Computer asked the authors of Maze if they were going to do the same, but received no answer.
Interestingly, many Maze “partners” have already switched to using the ransomware Egregor, whose activity began in September 2020, just as the authors of Maze began to scale back their operations.
Security experts believe that Egregor is based on the same code on which the ransomware Maze and Sekhmet were previously built. Moreover, these malware uses almost the same ransomware notes, the same names of payment sites and their sources are largely similar.
The hacker who spoke to reporters also confirmed that Maze, Sekhmet and Egregor are essentially the same thing. In turn, information security specialist Michael Gillespie, who studied Sekhmet and Egregor, found that users who suffered from Egregor, who paid the ransom, were sent a decryption software called Sekhmet Decryptor.
The journalists of the publication summarize that the termination of the work of a particular ransomware does not mean "leaving for some time" and its authors. More often than not, hackers simply switch to new software and continue their ransomware operations.