Maze ransomware gang prepares for shut down

Maze ransomware gang prepares for shut down

Cybercriminals behind the Maze ransomware operation are closing down their service. In September 2020, one of the most prominent players in the ransomware field had stopped attacking new targets and is now deleting the victims from its leak site, Bleeping Computer reports.

The Maze ransomware gang, which has been active since May 2019, has become the first group using so called double-extortion tactic, which involves stealing the victim’s data before encrypting the files and releasing the data if the ransom is not paid. The group’s track record includes highly recognized names such as Southwire, City of Pensacola, Canon, LG Electronics, Xerox, and others.

The double-extortion technique has quickly spread among other ransomware operations - REvil, Clop, and DoppelPaymer, to name a few, who established their own leak sites.

Last month, rumors appeared that the Maze ransomware gang is shutting down their operations. This was later confirmed to Bleeping Computer by a threat actor involved in the Barnes & Noble cyber-attack which occurred mid-October. According to the source, the Maze group had stopped encrypting new victims in September 2020, and is now trying to get the last payments from their victims.

When asked for confirmation, the Maze ransomware gang said “You should wait for the press release.”

Maze has already started to remove victims that they had listed on their data leak site. At a present, there are two victims on the leak site and those who previously and had all of their data released.

However, the demise of Maze does not necessarily mean that cybercriminals involved in the ransomware operation will cease their activity. In fact, many Maze affiliates have switched over to a newer ransomware operation dubbed Egregor, which appeared in mid-September and quickly became very active.

Back to the list

Latest Posts

AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025
Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

The malicious actors used v0.dev to create fake login pages mimicking legitimate brands.
2 July 2025