Maze
Maze is a ransomware family and ransomware-as-a-service operation first branded as Maze in May 2019; earlier reporting referred to it as “ChaCha ransomware” based on its use of the ChaCha stream cipher. It became one of the first prominent double-extortion ransomware operations, stealing victim data and threatening public exposure through dedicated leak/news sites in addition to encrypting files. Reported delivery and intrusion vectors include exploit kits, spam/phishing emails, malicious Microsoft Word documents with VBA macros that launch PowerShell to download the payload, Remote Desktop Protocol compromise, and other network exploitation methods. Proofpoint-linked TA2101 campaigns in October-November 2019 delivered Maze in Germany and Italy using tax-themed lures impersonating government agencies; one Italian lure used VERDI.doc, which downloaded Maze to %TEMP% and executed it after macros were enabled.
Technically, Maze is described as mostly written in C++ with heavy assembly use and control-flow obfuscation. It dynamically resolves APIs by hashing names, includes anti-analysis checks such as IsDebuggerPresent, PEB.BeingDebuggedFlag, and process-name checks for tools including procmon, x32dbg, x64dbg, ollydbg, procexp, IDA debugger, x32dbg, and OllyDbg, and has disabled Windows Defender Real-Time Monitoring and attempted to disable endpoint protection services. It checks system language using GetUserDefaultUILanguage and terminates if the language matches a predefined exclusion list. Maze established persistence via a Windows autorun registry entry and also created scheduled tasks using names such as “Windows Update Security” to launch at a specific time. It queried antivirus products through WMI root\SecurityCenter2, used WMI/WMIC to delete shadow volumes, attempted deletion both before and after encryption, and used Wow64RevertWow64FsRedirection after shadow-copy deletion attempts to restore filesystem redirection state. Maze also used WMI to connect a virtual machine to the victim organization’s network domain.
For command and control and exfiltration, Maze has communicated with hard-coded IP addresses via HTTP and exfiltrated host data over HTTP POST on port 80 using WS2_32.dll. FireEye reported the MAZE group using RDP over the Ngrok tunneling service as an alternative command-and-control channel. Encryption is reported as RSA plus ChaCha20/ChaCha-based. Maze skips specific directories and file types, drops the ransom note DECRYPT-FILES.txt and the wallpaper file 000.bmp, and can play a synthesized voice alert via the Microsoft Speech API. The victim portal reportedly required the DECRYPT-FILES.txt file for identification, offered a chat window for negotiation, and allowed upload of three image files for free decryption proof.
Maze is associated with the Maze gang/MAZE group and is also referenced in reporting on affiliates and broader criminal ecosystems. Multiple security companies assessed ties between former Maze affiliates and Egregor. Reporting also states FIN7 expanded into ransomware deployment through affiliations with REvil and Maze, and CERT-FR documented Lockean using Maze among several RaaS families. DoppelPaymer has been described as sharing tactics and much code with BitPaymer and Maze. Victims explicitly mentioned in the content include Allied Universal, Canon, Southwire, the City of Pensacola, LG Electronics, Xerox, and others. In the Canon incident, Maze was reported to have stolen 10 TB of data and deployed encryption on August 5, 2020. Maze shut down operations on November 1, 2020.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The exploit was used in Maze and Egregor ransomware campaigns. | The Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability... Actors exploiting this vulnerability commonly used the proof of concept code released by the security researcher... The exploit was used in Maze and Egregor ransomware campaigns.
"Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model."
"Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model."
Groups observed using it
10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In 2023, FIN7 expanded its operations to include the deployment of ransomware through affiliations with RaaS groups such as REvil and Maze, while also managing its own RaaS programs, including the now-retired Darkside and BlackMatter.
In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
"Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model."
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
5 techniques
Execution
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.
Citrix ADC maintains a vulnerable Perl script (newbm.pl) that, when accessed via HTTP POST request ... allows local operating system (OS) commands to execute. Attackers can use this functionality to upload/execute command and control (C2) software ... and gain unauthorized access to the OS.
Persistence
3 techniques
Persistence
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.
Privilege Escalation
4 techniques
Privilege Escalation
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability ... An actor can exploit this vulnerability to execute arbitrary code with system-level privileges.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.
Stealth
3 techniques
Stealth
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google.
“AppleJeus delivered components using a Windows Installer package (.msi)… executed the 3CXDesktopApp.exe…”, “APT38 has used msiexec.exe to execute malicious files.”, “Rancor has used msiexec to download and execute malicious installer files over HTTP.”, “TA505 has used msiexec to download and execute malicious Windows Installer files.”
Discovery
3 techniques
Discovery
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Examples include "Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found," "DropBook has checked for the presence of Arabic language," and "Maze has checked the language of the infected system using the GetUSerDefaultUILanguage function."
Command and Control
1 technique
Command and Control
Exfiltration
3 techniques
Exfiltration
“exfiltrating data to FTP servers using a base64-encoded PowerShell script…” and “used WinSCP to exfiltrate data to an attacker-controlled FTP server,” plus mapping “T1048: Exfiltration Over Alternative Protocol.”
Impact
4 techniques
Impact
Attackers move directly to deploying ransomware by editing a Group Policy.
Examples include 'Avaddon uses wmic.exe to delete shadow copies,' 'BlackCat can use wmic.exe to delete shadow copies on compromised networks,' and 'WannaCry utilizes wmic to delete shadow copies.'
Other
2 techniques
Other
The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.
Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.
IOCs tracked for this family
74 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
88 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family referenced as a group FIN7 previously collaborated with (contextual association, not necessarily tied to the specific Veeam CVEs in this article).
Ransomware family referenced in connection with a rumored 2020 breach impacting Cognizant.
Ransomware referenced in the context of tactics involving disabling services prior to encryption.
References https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.