The Maze Ransomware Group announced on 1. On 11 November 2020, the company published a press release announcing its official closure. The Labyrinth was one of the pioneers of the double blackmail – stealing data before encrypting the victim’s files. The ransom can be used for both the decryption key and for retrieving or deleting stolen data.
The announcement was made on the 2nd. November released on MalwareHunterTeam-Twitter. The maze group probably discusses four points.
First, he denies that there has ever been a labyrinthine cartel. The existence of the cartel was discussed in various media in the summer of 2020. This seems to be related to the fact that data from rival ransom groups were found on the side of Maze’s shameful victims; but now Maze says there never was a cartel. The labyrinth cartel never existed and still does not exist. It can only be found in the heads of the journalists who wrote it. Anything that now alleges to be related to the maze should be considered fraud, the group said, adding that support for victims, already included on their website, will continue for another month.
The denial of the cartel can be somewhat simplified. Jeremy Kennelly, head of analysis at Mandiant Threat Intelligence, told SecurityWeek that Mandiant had gathered important evidence that MAZE was being exploited through a profit-sharing scheme where several individual criminal groups worked together to commit their crimes – one group managed MAZE’s core infrastructure, and several other individuals and teams worked together to access victim networks and use MAZE software to obtain ransom. In addition, he added that the Mandiant has also seen clear cases where the aforementioned threat actors, such as FIN6, cooperated with MAZE to monetize the robberies by distributing ransoms.
Secondly, the Labyrinthine Group tries to justify its actions. It wasn’t about money – of course not – but about highlighting poor safety practices so that companies can improve. In response to this vision of a group of highly successful blackmailers who have made millions from their attacks, Jamie Hart, cyber threat analyst for Digital Shadows, says his vision of these crimes is somewhat helpful. The group referred to her victims as customers, she said, as if they believed that the victim organizations employed the group indirectly as a security specialist.
Maze further warns that weak security threatens the national infrastructure and that although the Maze does not attack the infrastructure, it is not a Maze, but some radical psychopaths who not only aim to expose security weaknesses, but also cause serious damage.
Thirdly, in the section Why? the group seems to suggest that part of its purpose is to warn that society is betraying its humanity to machines. It’s not a unique point of view. This can almost be regarded as a modern version from the Luddite point of view.
The labyrinthine attitude focuses on the growth of digital currencies. As their value increases, Maze thinks they will be concentrated in the hands of different people. It’s no different from current claims that only a few super-rich families already control the global economy – but Maze believes that these people would then be able to bring down the exchange rate based economy and manage everything online.
At this point, the labyrinth assumes that everything is lost. You won’t even notice when you’re chipped, or your DNA will be the only one with access to the new digital world. Since this will be the only place where you can be paid and consumed. It’s a normal, dark view of the future.
Finally, Maze says he’s coming back. We’ll come back when the world has changed. We’ll be back to show you again and get you out of the maze.
In general, the display is quite normal. Criminals deny that they were motivated by money, but are more concerned with demonstrating the insecurity of their victims – in other words, they were at the service of the public. Looking to the Future is also a science fiction classic – from Orwell 1984 to Wahov Matrix.
Although this may be the end of the Maze brand, the security industry does not believe that the maze operators will tacitly withdraw. Such a service may be interrupted for various reasons, such as conflicts between operators or the consequences of roadside fraud, or it may occur as a result of a check by law enforcement authorities – active or suspected. These services may also be outdated, allowing their operators to find a parallel operation with other malware or another profit-sharing or exploitation model.
The labyrinth threat is probably not over yet, Hart told SecurityWeek. Although the official reason for this announcement is not known, it is possible that the saturation of the takeover market has prompted the group to discontinue its activities. It could also be an exit strategy similar to the one we saw at GhentCrab in 2019. Another option could follow the Maze; some operators would have switched to the Egregor buy-out option. Finally, they can get out of the maze to improve their operational safety and reduce their chances of getting caught.
We have decided with great confidence that many individuals and groups who have worked together to support MAZE’s buy-back services are likely to continue to participate in similar transactions – either to support existing buy-back services or to support new transactions in the future.
That’s what it looks like: Double blackmail: Ransom is a combination of encryption and data theft.
That’s what it looks like: Ransom software operators publish victims’ data online
That’s what it looks like: Maze Ransomware caused a malfunction in the Cognizant.
That’s what it looks like: The kidnappers claim to have hacked the seal of a giant photocopier.
Kevin Townsend is a prominent member of SecurityWeek. He wrote about high-tech problems even before Microsoft was born. Over the past 15 years, he has specialized in information security and has published several thousand articles in dozens of different magazines, from The Times and Financial Times to modern and old computer magazines.
Kevin Townsend’s previous columns: