What is Maze ransomware?

Maze ransomware both encrypts and steals confidential data, putting even more pressure on its victims to pay the ransom.

Learning Objectives

After reading this article you will be able to:

  • Define how Maze ransomware works
  • Describe how Maze encrypts and exfiltrates data
  • Learn how to prevent Maze ransomware attacks

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is Maze ransomware?

Maze is a strain of ransomware* that has been impacting organizations since 2019. Although one main group created Maze, multiple attackers have used Maze for extortion purposes.

In addition to encrypting data, most operators of Maze also copy the data they encrypt and threaten to leak it unless the ransom is paid. A Maze ransomware infection combines the negative effects of ransomware (lost data, reduced productivity) with those of a data breach (data leaks, privacy violations), making it of particular concern for businesses.

*Ransomware is malware that locks up files and data by encrypting them. Victims are told they will only get their files and data back if they pay the attacker a ransom.

How does a Maze ransomware attack work?

When Maze ransomware first came into use, it was mostly distributed through malicious email attachments. More recent attacks use other methods to compromise a network before dropping the ransomware payload. For instance, many Maze ransomware attacks have used stolen or guessed Remote Desktop Protocol (RDP) credentials (username and password combinations) to infiltrate a network. Other attacks have started by compromising a vulnerable virtual private network (VPN) server.

Once Maze is inside a network, it takes the following steps:

  1. Reconnaissance: Maze investigates the vulnerabilities of the network and identifies as many connected machines as possible, helping to ensure the eventual ransomware activation has maximum impact. Among other things, Maze scans Active Directory, a Windows program that lists all authorized users and computers on a network. The reconnaissance process is usually completed several days after attackers infiltrate the targeted network.
  2. Lateral movement: Maze uses the information it gained during reconnaissance to spread itself across the network, infecting as many devices as possible.
  3. Privilege escalation: As Maze moves laterally, it steals more credentials, enabling it to spread to additional machines. Eventually it usually acquires administrator credentials, which give it control over the entire network.
  4. Persistence: Maze uses a number of techniques to resist removal. For example, it may install backdoors (hidden ways around security measures) into the network so it can be re-installed if it is discovered and removed.
  5. Attack: Finally, Maze begins the process of encrypting and exfiltrating data. Once data has been encrypted, Maze displays or sends a ransom note telling the victim how to make payment, unlock their data, and prevent a data leak.

How does Maze exfiltrate data?

To "exfiltrate" means to move data out of a trusted area without authorization. Typically, Maze exfiltrates data by connecting with a file transfer protocol (FTP) server and copying files and data to this server in addition to encrypting it. Attackers have used the PowerShell and WinSCP utilities to perform these actions.

In some cases, exfiltrated data has been transferred to a cloud file sharing service instead of directly to an FTP server.

What is the Maze website?

For several years, the ransomware group that created Maze operated a website on the dark web. They posted stolen data and documents on the website as proof of their past attacks and included social media links for sharing the stolen data.

In a post on their website in November 2020, the Maze group claimed they were shutting down operations. However, as is often the case with ransomware groups, they may still be active under a different name.

What was the Cognizant Maze ransomware attack?

The Cognizant Maze ransomware attack was a major incident that took place in April 2020. Cognizant is an IT services provider for companies around the world. The attack compromised Cognizant's network and may have also resulted in the theft of confidential data belonging to their clients (Cognizant did not disclose which of their clients were affected by the attack). It took several weeks for Cognizant to fully restore its services, which slowed or stopped business processes for many of its clients during that time.

Cognizant estimated losses of $50 million to $70 million due to the attack.

What were some other major Maze attacks?

  • Pensacola, Florida, US: The city of Pensacola was victimized by Maze in 2019. The attackers leaked 2 GB of Pensacola's data as proof of the attack.
  • Canon: Maze infected the imaging equipment company Canon in 2020. Attackers exfiltrated 10 TB of data. Many users of Canon's free storage service permanently lost their data as a result of the attack.
  • Xerox: Maze compromised Xerox's systems in 2020, stealing 100 GB of data.
  • LG Electronics: In 2020, Maze stole and leaked source code data from LG.

Other Maze victims include WorldNet Telecommunications, Columbus Metro Federal Credit Union, the American Osteopathic Association, and VT San Antonio Aerospace.

How to prevent Maze ransomware

These steps can make a Maze ransomware attack far less likely:

  • Avoid using default credentials: Maze attacks have used credential compromise to infiltrate a network. Default usernames and passwords are typically well-known in the criminal underground, and therefore very insecure.
  • Use two-factor authentication (2FA): 2FA means using more than just a username and password to authenticate a user before granting access to an application — for instance, requiring the use of a hardware token that attackers cannot steal or duplicate.
  • Email security: Filter out malicious email attachments and train users to ignore unexpected emails and untrusted attachments.
  • Update systems: Software updates can patch some of the vulnerabilities that Maze typically uses to compromise servers and networks.
  • Anti-malware scanning: If a Maze infection occurs, it is crucial to detect and remove it from infected devices as soon as possible. Anti-malware can detect most forms of Maze on a device. Infected devices should be isolated immediately from the rest of the network.
  • Zero Trust security: A Zero Trust security model helps prevent lateral movement within a network by regularly re-verifying both users and devices, and by immediately restricting access for devices that are infected with malware. Learn more about Zero Trust networks.

Cloudflare One is a Zero Trust network-as-a-service (NaaS) platform that securely connects remote users, offices, and data centers. Learn more about Cloudflare One and how it counteracts ransomware attacks.