Cybercriminals behind the Maze ransomware operation are closing down their service. In September 2020, one of the most prominent players in the ransomware field had stopped attacking new targets and is now deleting the victims from its leak site, Bleeping Computer reports.

The Maze ransomware gang, which has been active since May 2019, has become the first group using so called double-extortion tactic, which involves stealing the victim’s data before encrypting the files and releasing the data if the ransom is not paid. The group’s track record includes highly recognized names such as Southwire, City of Pensacola, Canon, LG Electronics, Xerox, and others.

The double-extortion technique has quickly spread among other ransomware operations - REvil, Clop, and DoppelPaymer, to name a few, who established their own leak sites.

Last month, rumors appeared that the Maze ransomware gang is shutting down their operations. This was later confirmed to Bleeping Computer by a threat actor involved in the Barnes & Noble cyber-attack which occurred mid-October. According to the source, the Maze group had stopped encrypting new victims in September 2020, and is now trying to get the last payments from their victims.

When asked for confirmation, the Maze ransomware gang said “You should wait for the press release.”

Maze has already started to remove victims that they had listed on their data leak site. At a present, there are two victims on the leak site and those who previously and had all of their data released.

However, the demise of Maze does not necessarily mean that cybercriminals involved in the ransomware operation will cease their activity. In fact, many Maze affiliates have switched over to a newer ransomware operation dubbed Egregor, which appeared in mid-September and quickly became very active.