Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Maze— a high profile ransomware gang in the cybercriminal world— now claims they’ve ceased to exist. The hacker group famed for their double extortion of Allied Universal (requested ransom of 2.3 million USD) and disruption operations for American tax advisory BST & Co posted a press release on their website Nov 1st, 2020 announcing an end to operations.
The group made headlines with over 70 incidents since the start of 2020 and in Q2 led our profile of high threat hacker groups— Maze, DoppelPaymer, and Sodinokibi made up 80% of our alerts related to ransomware dump sites. As they occupied so many of our thoughts, we offer some words of remembrance:
Maze ransomware group was first identified in May 2019 as a highly active team of operators in North America and Europe. They were non-discriminatory in their victims and targeted a wide range of sectors in North America and Europe from the US’s largest cable and wire manufacturer (Southwire) to a Parisian hotel catering to Eiffel Tower visitors (Auteeuil Tour Eiifel).
Maze created a unique double extortion model where they would capture a target’s sensitive data using exploit kits, often in the form of spear-phishing emails to company employees. They were notable for their successful impersonation of government agencies such as the “Italian Revenue Agency” and other false American and German authorities. After extracting data, they would encrypt it and request a large sum of money in exchange for not publicly posting it on their website “Maze News”.
The encryption aspect of this is not too special— virtually all ransomware groups encrypt the files they steal and request a ransom for companies to recover those files. Maze was initially called “Chacha” within the security community as they used the popular Chacha cipher to encrypt the files and data that they stole.
The “Maze News” site or “name and shame” game they created was unique. Their website boasted on its posting board,
“Represented here companies do not wish to cooperate with us and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!”
Maze would coerce companies to pay millions in bitcoin to avoid exposure on the dark web, and this tactic has since been copied by other hacker/ransomware groups such as Sodinokibi, DoppelPaymer, and Nemty.
Maze will not only be remembered for their creativity, but also for their willingness to lend a helping hand to other cybercriminals. They were known collaborators with the operators of both “LockBit” ransomware and “Ragnar Locker” ransomware. Digital Shadows (now ReliaQuest) researchers found Ragnar Locker data leaks being hosted on the Maze News website in June 2020 in addition to Maze’s own stolen content.
In addition to being a platform for other ransomware groups, Maze was known to be a mentor within the cybercriminal community, sharing their tactics, techniques, and procedures with other hacker groups since they began operations in May 2019.
Maze lived by the mission that they existed to show the world the weaknesses of digital security and to warn individuals, companies, and countries that cybercriminals could cause significant damage without correction.
In their press release, Maze referred to their victim companies as their “clients”. Their “client fees” for exploiting the company’s cybersecurity weaknesses, however, amounted to millions of dollars in bitcoin and much financial gain for the ransomware group.
Aside from the Maze News board, where companies’ data was released to the public, Maze kindly offered the Maze Support page, where “clients” could pay their “client fees” or chat to a member of the Maze team.
In the case of non-paying companies, Maze didn’t always dump their data online. In sparing the City of Pensacola, Florida, a Maze representative wrote:
“We are going to make a gift to City of Pensacola: we will not publish leaked private data, but we publish the list of leak data and hosts to proof, that we did it, we really hacked City of Pensacola.”
Another display of their claimed benevolence was in mid-March 2020 when Maze operators stated they would halt activity against all medical organizations until the end of the COVID-19 pandemic. They did, however, publish data stolen from the drug testing firm Hammersmith Medicines Research Ltd (HMR) in April. This was somewhat living by their word as HMR data was stolen and encrypted prior to that announcement.
While we don’t know why Maze officially ceased operations, we do know the threat from ransomware still exists. An excerpt from their official press release says:
“If you are taking the responsibility for other people’s money and personal data, then try to keep it secure. Until you do that there will be more projects like Maze to remind you about secure data storage.”
It’s possible the oversaturation of the ransomware market motivated their exit— similar to GandCab’s exit in 2019. And it’s still very likely another variant group will emerge to take Maze’s place; some operators have reportedly moved to the Egregor ransomware variant.
Finally, Maze could potentially rise from the grave, the press release contained the closing comment:
“We will be back to you when the world will be transformed. We will return to show you again the errors and mistakes and to get you out of the Maze.”.
NEXT STEPS WITH Digital Shadows (now ReliaQuest)…
Tracking ransomware groups, tactics, and trends can be daunting, and it’s easy to get buried in all the information out there. Look here to read our research on ransomware.
Looking to keep updated on threat actor activity as well as gain actionable insights from ransomware trends? SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) presents threat intelligence and assesses the risk certain actors pose to your industry, company, and assets. Look here for a trial of our product SearchLight.
If you’re a Digital Shadows (now ReliaQuest) client, you’ll be able to use this search term to set up alerts on new instances of data dumps on ransomware sites: ransomware dumps.