Maze

Maze was a financially motivated ransomware operation active from approximately May 2019 until its reported shutdown in November 2020. It was previously identified as “ChaCha ransomware,” and is widely recognized for pioneering and popularizing double extortion: stealing victim data before encryption and threatening to publicly leak it if ransom demands were not met. Maze operated dedicated victim negotiation infrastructure and a public leak/news site on Tor and the public Internet, published victim data after missed deadlines, and at times issued public statements or “press releases” to increase pressure. Known aliases and closely associated names mentioned in the content include ChaCha ransomware; the content also states many Maze affiliates later moved to Egregor, and reporting cited in the content says Maze, Sekhmet, and Egregor may share software lineage. The content also links Maze operations to “Twisted Spider.” Maze targeted enterprises and other organizations, including Allied Universal, Southwire, the City of Pensacola, Canon, LG Electronics, and Xerox. The content describes Maze as a human-operated, enterprise-targeting ransomware that laterally moved in victim environments, sought administrative or domain-level access, and stole unencrypted files before deploying encryption. Delivery and intrusion methods directly mentioned in the content include exploit kits, spam emails, Remote Desktop Protocol attacks, and other network exploitation; one campaign impersonated government tax agencies in Germany and Italy via malicious documents with VBA macros. The content also notes Maze intrusions have involved exposed RDP, compromised Domain Administrator accounts, and publicly reachable vulnerable systems. Technically, Maze is described as mostly written in C++ with heavy assembly use and control-flow obfuscation. Reported capabilities include dynamic API resolution by hashing API names; anti-analysis checks such as IsDebuggerPresent, PEB.BeingDebuggedFlag, and process-name checks for analysis tools; persistence via Windows autorun registry entries; deletion of shadow copies via WMIC.exe; antivirus discovery through WMI root\SecurityCenter2; host-data exfiltration to command-and-control over HTTP POST on port 80 using WS2_32.dll; and file encryption using RSA and ChaCha20. Maze dropped a DECRYPT-FILES.txt ransom note and 000.bmp wallpaper, could play a synthesized voice alert via Microsoft Speech API, and used command-line switches including --nomutex, --logging, --noshares, and --path. The content also states Maze attempted to delete shadow volumes both before and after encryption. Operationally, Maze used negotiation portals that identified victims via DECRYPT-FILES.txt, offered limited free decryption proof, and provided chat-based negotiation. The group publicly claimed it would delete stolen data after payment. The content states Maze announced in March 2020 that it would stop attacks on medical organizations until the COVID-19 situation stabilized, and in one case withdrew posted data and backed off blackmail demands against the City of Pensacola after the naval air station shooting. Maze also formed a reported ransomware “cartel” with Ragnar Locker and LockBit to share information and tactics. The operation reportedly stopped encrypting new victims in September 2020, began removing victims from its leak site, and shut down on November 1, 2020.