On November 1, the cybercriminals behind Maze ransomware announced their retirement. Is this a reason to go all out and celebrate? We’re afraid not.

The threat actors behind Maze ransomware have announced their retirement. On November 1, they posted the retirement announcement on the website where they would normally name and shame their victims that were unwilling to pay the ransom.

image courtesy of Graham Cluley

“The Project is closed.

Maze Team Project is announcing it is officially closed.

All the links to out project, using of our brand, our work methods should be considered to be a scam.

We never had partners or official successors. Our specialists do not works with any other software. Nobody and never will be able to host new partners at our news website. The Maze cartel was never exists and is not existing now. It can be found only inside the heads of the journalists who wrote about it. Attention to everyone who wants for its private information to be deleted from our news website. You can contact to Maze support chat. Support will be continued for a month after the press release.”

The Maze gang was known for introducing an extra way to create leverage against victims. Not only did the attackers lock organizations’ data up, they also stole the data and threatened to publish it if the ransom was not paid, giving victims another compelling reason to pay up, especially if the data was of a sensitive nature.

So it’s ironic that in the rest of the spelling error-ridden statement, the cybercriminals assume the posture of a group of people out to improve the world rather than line its own pockets. As if raising awareness of security flaws and the danger of Bitcoin was the attackers real goal. If they set out to ease their conscience, we would have preferred them to publish their master decryption keys.

Did the Maze gang retire unexpectedly?

Not really. At Malwarebytes we saw detections drop over the last month after a steep peak in August.

Number of Maze detections since June 2019

We suspect this is a result of the fact that many of their affiliates have moved to a new family, Egregor aka Ransom.Sekhmet. A week earlier, BleepingComputer reported that the Maze gang had stopped seeking out and encrypting new victims some time in September. The gang also cleaned up its data leak site and seemed to be busy extorting its final victims.

Will the Maze ransomware gang truly retire?

We will have to wait and see—history has shown us that when a crime group decides to close its doors, it’s rarely because the criminals have seen the error of their ways and it’s more often due to a new, more powerful threat that the threat actors would prefer to use.

So, with businesses now being targeted with the next ransomware and no sign of hope for victims of the past we see no reason to be particularly happy about this. We do, however, see plenty of reasons for businesses to look at their protection against brute force and other attacks on their RDP ports.

We will keep you posted of any new developments, as always.

Stay safe, everyone!