Maze Ransomware Expanded Double-Extortion Attacks Against Enterprises
The Maze ransomware operation escalated from file encryption to double extortion, stealing data from victims and threatening public leaks unless ransom demands were paid. Sophos reported that the group spent roughly a year refining this model, using intrusions against enterprise networks to maximize pressure on organizations already facing operational disruption from ransomware.
The campaign helped normalize a tactic that later spread widely across the ransomware ecosystem: combining encryption with data theft and public shaming to force payment. Maze’s activity showed how ransomware groups were evolving into full-scale extortion operations, increasing legal, financial, and reputational risk for affected companies beyond the immediate impact of locked systems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Sophos reports Maze ransomware has operated for one year
Sophos published an analysis stating that Maze ransomware had been extorting victims for one year and was still active at that time.
Maze ransomware hits UK medical research organization
Computer Weekly reported that a UK medical research organization poised to support coronavirus-related work was hit in a Maze ransomware attack. This adds a specific victim disclosure during the early COVID-19 period.
Maze ransomware begins extorting victims
Sophos' reference indicates that the Maze ransomware operation had been extorting victims for one year as of May 12, 2020, implying the campaign began around May 2019.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Maze ransomware: extorting victims for 1 year and counting | SOPHOS
news.sophos.com
Open sourceCyber gangsters hit UK medical firm poised for work on coronavirus with Maze ransomware attack | Computer Weekly
computerweekly.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Maze Ransomware Expanded Double-Extortion Tactics and Targeted Intrusions
The **Maze** ransomware operation evolved from earlier exploit-kit activity associated with “ChaCha ransomware” into a prominent double-extortion threat that stole data before encrypting systems and then pressured victims by publishing stolen files on dedicated leak sites. Operators built a public reputation around naming victims, courting media attention, and using data exposure as leverage to increase the likelihood of ransom payments. Maze infections were delivered through multiple channels, including spam campaigns impersonating government tax agencies and later more targeted compromises through **Remote Desktop Protocol (RDP)** access and network exploitation. Sophos reported that the malware used heavy obfuscation, anti-analysis checks, persistence mechanisms, system and network reconnaissance, **HTTP POST** data exfiltration, and file encryption based on **RSA** and **ChaCha20**, while also showing selective behavior such as adjusting demands for home versus corporate systems and easing pressure in some medical-sector cases during COVID-19.
Jan 1, 2026
RansomHouse Ransomware Upgrades with Double Extortion and Advanced Encryption
RansomHouse, operated by the group known as Jolly Scorpius, has significantly evolved its ransomware-as-a-service (RaaS) platform by integrating a double extortion strategy that combines data theft with encryption. This approach increases pressure on victims by threatening both operational disruption and public data leaks. Since December 2021, RansomHouse has targeted at least 123 organizations across critical sectors such as healthcare, finance, transportation, and government, resulting in substantial financial losses and severe data breaches. The group employs a sophisticated attack chain, with roles divided among operators, attackers, and infrastructure providers, and often gains initial access through spear-phishing or exploiting vulnerable systems. Once inside, attackers use specialized tools to maximize impact, particularly targeting VMware ESXi hypervisors to encrypt large numbers of virtual machines simultaneously, amplifying operational disruption. Recent technical analysis reveals that RansomHouse has upgraded its encryption methods from a simple, linear approach to a more complex, multi-layered technique, making detection and recovery more challenging for defenders. The toolkit includes the 'MrAgent' management and deployment tool, which automates ransomware deployment and maintains persistent connections to command-and-control servers, and the 'Mario' encryptor, which represents the latest advancement in their arsenal. These upgrades, combined with the double extortion model, have made RansomHouse a formidable threat, prompting security vendors to enhance their protective measures and urging organizations to remain vigilant against this evolving ransomware operation.
Mar 21, 2026
Ransomware and Data-Extortion Groups Expand Pressure Tactics as Some Mass-Theft Campaigns Lose Leverage
Ransomware operations are increasingly **industrialized**, shifting from simple file encryption to multi-stage extortion that combines **encryption**, **data theft/leak threats**, **DDoS**, and in some cases direct pressure on third parties such as customers, partners, or regulators. This “quadruple extortion” model has been associated with major groups including **ALPHV/BlackCat**, **CL0P**, and **LockBit**, reflecting a broader trend toward scalable, high-tempo campaigns designed to maximize coercion and revenue. At the same time, incident-response reporting indicates some **zero-day-driven, downstream mass data-theft extortion** campaigns—popularized by **CL0P** against widely used file-transfer platforms—are becoming less effective at driving payments, as organizations better understand that paying for “data suppression” does not remove notification obligations or meaningfully reduce litigation and re-extortion risk. Separately, GuidePoint assessed with high confidence that the new “**0APT**” leak site’s claimed victim list is largely **fabricated** (or recycled from other groups) and likely intended to enable opportunistic extortion, re-extortion, or affiliate fraud; organizations named by 0APT were advised to validate impact via concrete indicators (e.g., ransom note, encryption, direct communication) before treating the posting as evidence of compromise.
Mar 21, 2026