Maze
Maze is a ransomware family and ransomware-as-a-service (RaaS) operation widely recognized for helping establish the double-extortion model, in which operators steal data from victim networks and threaten to leak it in addition to encrypting systems. The content describes Maze as one of the first prominent double-extortion ransomware groups and notes that it was active from approximately May 2019 until shutting down operations on November 1, 2020.
Observed behavior includes disabling dynamic analysis and security tools such as IDA debugger, x32dbg, and OllyDbg; disabling Windows Defender Real-Time Monitoring; and attempting to disable endpoint protection services. Maze checks the system language using GetUserDefaultUILanguage and terminates if the language matches a predefined exclusion list. It attempts to delete shadow volumes on infected machines both before and after encryption, including via WMI, and uses Wow64RevertWow64FsRedirection after shadow-copy deletion attempts to restore filesystem redirection state. The malware has also used WMI to connect a virtual machine to the victim organization’s network domain. For execution or persistence, Maze has created scheduled tasks using names such as "Windows Update Security" to launch at a specified time.
The content also links Maze to exploitation activity: Maze and Egregor campaigns used CVE-2020-0787, and Maze was identified among ransomware families seen in broader hands-on intrusions following mass-malware footholds. Microsoft reporting cited ELBRUS/FIN7 as transitioning from point-of-sale malware to ransomware and deploying Maze and REvil as part of financially motivated extortion activity.
Victimology in the provided content includes healthcare organizations during the COVID-19 period and multiple named victims such as Canon, Allied Universal, Southwire, the City of Pensacola, LG Electronics, and Xerox. In the Canon incident, reporting attributed the August 2020 outage to Maze; the group allegedly stole 10 TB of data and private databases, and Canon later confirmed attackers stole employee-related data from servers. The content also notes Maze’s role as a reference point for later extortion actors and tactics, including comparisons with DoppelPaymer, LockBit, Babuk, and REvil.
High-confidence indicators and artifacts directly mentioned in the content include use of GetUserDefaultUILanguage, Wow64RevertWow64FsRedirection, WMI-based shadow copy deletion, and scheduled task names including variants such as "Windows Update Security."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The exploit was used in Maze and Egregor ransomware campaigns. | The Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability... Actors exploiting this vulnerability commonly used the proof of concept code released by the security researcher... The exploit was used in Maze and Egregor ransomware campaigns.
"Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model."
"Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model."
Groups observed using it
10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.
In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
"Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model."
"...TA551 IcedID implants were associated with Maze and Egregor ransomware events in 2020."
In July 2020, Mandiant observed UNC2198 leverage network access provided by an ICEDID infection to encrypt an environment with MAZE ransomware.
Maze ransomware operators have updated their list of victims adding Xerox Corporation to the roster... Maze's leak site showed Xerox among the victims of this ransomware group.
Maze ransomware operators have updated their list of victims adding Xerox Corporation to the roster... Maze's leak site showed Xerox among the victims of this ransomware group.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
5 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.
Citrix ADC maintains a vulnerable Perl script (newbm.pl) that, when accessed via HTTP POST request ... allows local operating system (OS) commands to execute. Attackers can use this functionality to upload/execute command and control (C2) software ... and gain unauthorized access to the OS.
Persistence
3 techniques“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.
Privilege Escalation
4 techniques“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability ... An actor can exploit this vulnerability to execute arbitrary code with system-level privileges.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.
Stealth
4 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google.
MAZE Group 2 mapping includes “T1140: Deobfuscate/Decode Files or Information.”
“AppleJeus delivered components using a Windows Installer package (.msi)… executed the 3CXDesktopApp.exe…”, “APT38 has used msiexec.exe to execute malicious files.”, “Rancor has used msiexec to download and execute malicious installer files over HTTP.”, “TA505 has used msiexec to download and execute malicious Windows Installer files.”
Discovery
3 techniquesThe content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Examples include "Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found," "DropBook has checked for the presence of Arabic language," and "Maze has checked the language of the infected system using the GetUSerDefaultUILanguage function."
Command and Control
1 techniqueThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Exfiltration
3 techniques“exfiltrating data to FTP servers using a base64-encoded PowerShell script…” and “used WinSCP to exfiltrate data to an attacker-controlled FTP server,” plus mapping “T1048: Exfiltration Over Alternative Protocol.”
Increasingly, attackers also steal sensitive data before deploying the actual ransomware in what is known as a double extortion ransomware attack.
The Maze RaaS group presented one of the first examples of double extortion ransomware. Attackers encrypted and exfiltrated sensitive data
Impact
4 techniquesAttackers move directly to deploying ransomware by editing a Group Policy.
Examples include 'Avaddon uses wmic.exe to delete shadow copies,' 'BlackCat can use wmic.exe to delete shadow copies on compromised networks,' and 'WannaCry utilizes wmic to delete shadow copies.'
The process kill lists were designed to amplify the effects of known ransomware strains.
DoppelPaymer has only started publishing data in the last few days... the group claims to have sold data stolen in previous incidents on the dark web.
Other
2 techniquesThe content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.
Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.
IOCs tracked for this family
74 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
81 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family referenced as a group FIN7 previously collaborated with (contextual association, not necessarily tied to the specific Veeam CVEs in this article).
Ransomware family referenced in connection with a rumored 2020 breach impacting Cognizant.
Ransomware referenced in the context of tactics involving disabling services prior to encryption.
References https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.