Maze ransomware: How it works and how to stay protected

Maze was a sophisticated type of Windows-based ransomware that was first discovered in 2019. It targeted a wide variety of organizations and industries and became known for pioneering double extortion attacks, where attackers exfiltrate sensitive data before encrypting systems.

Although the Maze ransomware group publicly announced it was shutting down in late 2020, the tactics it helped establish continue to be used by modern ransomware operations. In this article, we’ll break down exactly what Maze was, how the ransomware worked, and what organizations and individuals can do to protect themselves against this type of attack.

What is Maze ransomware?

Maze was a type of ransomware that encrypted a victim’s files while also stealing sensitive data, an attack method known as double extortion. In other words, Maze attacks not only blocked victims’ access to their data but also threatened to expose sensitive information unless a ransom was paid. The group maintained a website where data would be publicly leaked to pressure victims into paying the ransom.

The Maze group pioneered this approach, which marked a significant shift in ransomware strategy. Many other groups have since adopted this tactic.

The Maze ransomware group was active between 2019 and 2020, targeting high-profile organizations across multiple industries, including healthcare, technology, and finance. In addition to carrying out attacks directly, Maze operated an affiliate-based ransomware model, letting third parties deploy the malware using Maze’s tools and infrastructure. This contributed to the scale and reach of Maze attacks.

How Maze ransomware attacks work

Maze ransomware attacks followed a particular pattern, based on infiltration, lateral movement, exfiltration, and encryption.

Initial access and infection vectors

Maze attackers most often gained access to victims’ networks through compromised or reused credentials, exposed Remote Desktop Protocol (RDP) services, phishing emails with malicious attachments or links, and exploitation of unpatched software or software vulnerabilities.

Once inside, they worked to maintain and expand access, using techniques like credential harvesting and other persistence and evasion methods that undermined security controls. This gave them time to locate high-value data and prepare for exfiltration and encryption.

Lateral movement and network reconnaissance

Once Maze gained access to a network, the operators began searching for other vulnerabilities on connected machines. One way they did this was by scanning the Active Directory, which is a sort of centralized database of all network resources. The Active Directory shows other linked devices, user data, and even which users can access which systems.

After the reconnaissance period, Maze operators would spread the malware across the network to as many other machines as possible. During this phase of the operation, Maze operators looked for high-value targets that contained valuable information and prepared to exfiltrate the data.

Data exfiltration and encryption process

Maze operators systematically exfiltrated sensitive data before encrypting files, often using attacker-controlled file transfer protocol (FTP) servers or cloud storage services. Once the exfiltration phase was complete, they deployed ransomware to encrypt the victim’s data, modifying file names by appending unique extensions and leaving ransom instructions.

Ransom notes and extortion tactics

Maze would leave ransom notes in prominent places on the system for victims to find, with instructions on how to contact the attackers and make payment. As part of their double extortion strategy, the group also threatened to publish sensitive stolen information if ransom demands weren’t met. The group used online portals or chat interfaces to negotiate ransom payments with victims.

Although paying the ransom may result in the delivery of a decryption key, that didn’t guarantee file recovery, and while Maze claimed to delete all stored data once the ransom was paid, there was no way to verify this.

Notable Maze ransomware attacks

Maze most often targeted large organizations to maximize the potential financial gain. Here are three of the most notable incidents.

Canon

Canon, of digital camera fame, suffered a Maze attack in 2020 that disrupted several internal systems and affected its cloud storage service. Maze claimed responsibility for the attack and alleged that it had exfiltrated more than 10TB of data, including internal files and customer information.

Canon confirmed that files accessed by the attackers contained personal information for current and former employees and their beneficiaries and dependents, including names, Social Security numbers, driver’s license or government ID numbers, direct deposit account numbers, electronic signatures, and dates of birth.

Once the incident was uncovered, the company engaged a cybersecurity firm, notified law enforcement, and took steps to restore operations and enhance network security.

Cognizant

One of the most financially damaging Maze attacks took place in April 2020. Cognizant, an IT services company, was in the middle of its shift to remote work following the start of the COVID-19 pandemic. When the Maze attack happened, employees lost access to email, some internal directories, and more.

The attack affected not only Cognizant itself but also many of the companies that relied on it. By the time the dust settled, Cognizant estimated it lost anywhere from $50 to $70 million, with more costs coming later in the efforts to restore its computer systems.

City of Pensacola

In late 2019, Pensacola, Florida, suffered a ransomware attack that led to the theft of roughly 32GB of municipal data. The attackers demanded a ransom of around $1 million and later leaked a portion of the stolen files to demonstrate that the data had been exfiltrated.

The attack is widely attributed to the Maze ransomware group based on reporting by BleepingComputer, which stated that Maze operators contacted the outlet directly and claimed responsibility for the breach. However, the City of Pensacola did not publicly confirm Maze as the attacker, and the official city statement referred to the incident as a ransomware attack without naming a specific group.

How to detect a Maze ransomware infection

Maze ransomware was often present in a system long before any files were encrypted. Detecting its presence early was difficult, and it depended on spotting signs of network reconnaissance, lateral movement, and data exfiltration.

Early warning signs and indicators

As mentioned earlier, one of the first steps in a Maze-style attack is to establish a foothold. Most of the time, this is achieved either by obtaining login credentials or through exposed remote access points. One primary indicator of an attack could be multiple failed login attempts or logins at odd hours.

Queries to the Active Directory or unauthorized network scans could also be indicators that Maze operators were mapping the network and looking for further vulnerabilities.

Confirming an active Maze infection

Once encryption begins, Maze-style infections are relatively easy to identify, because ransom notes are typically placed in prominent locations.

However, Maze operators frequently exfiltrated data before triggering encryption, meaning data theft often occurred without any obvious indicators. In these cases, confirmation required analyzing network traffic and credential use.

How to prevent Maze ransomware

Preventing a Maze-style ransomware attack requires multiple layers of security, including several best practices that reduce cybersecurity vulnerabilities.

• Strong authentication requirements: The first step to preventing a ransomware attack is ensuring that credentials can’t be easily guessed or breached. That means every single account should be secured by a strong, unique password, especially when it comes to credentials for admin tools. Beyond that, enabling phishing-resistant multi-factor authentication (MFA) adds another layer of security that can restrict access to accounts even if credentials are compromised.
• Improved email security: Maze often infiltrates systems through phishing attempts. Strong email filters and proper security protocols, including training users to be wary of suspicious attachments, can reduce the likelihood of a phishing attempt succeeding.
• Keep software up to date: Enable automatic updates for any application that supports it and manually update any software that doesn’t. Maze (and malware in general) exploits unpatched vulnerabilities in software, so prioritizing updates and patches for the most critical systems can impede its progress.
• Monitor your system: Continuous monitoring can help detect Maze-style attacks before encryption occurs. Warning signs include unusual outbound network traffic, unexpected use of admin tools, suspicious Active Directory queries, and the creation of file-staging directories used for data exfiltration. Centralized log monitoring, intrusion detection systems, and alerts for abnormal authentication behavior can provide early indicators of compromise.
• Access control: Limiting and restricting access to only what is strictly necessary for a user to fulfill their role impacts Maze-style ransomware’s ability to move laterally. Admin privileges and network permissions should only be granted to accounts for which they’re absolutely necessary.

Network hardening and segmentation

Network segmentation divides a large network into smaller, more isolated subnetworks (or subnets). Each subnet can have different access control levels; if Maze-style activity is detected, these subnets can be sealed off to prevent its spread. The purpose of this is to ensure that, even if one machine is infected, the ransomware can be stopped from spreading to others.

Backups and disaster recovery planning

Maze-style ransomware is known for attempting to delete backups, so it’s vital to have other options in place. Experts recommend the 3-2-1 rule; in other words, you should have at least three copies of your data, on two different forms of media, with at least one backup stored offsite. This practice extends beyond ransomware defense; it can help recover data in the event of natural disasters, too.

Of course, it’s also important to ensure that backup systems can only be accessed from specific accounts. Standard user accounts and automated processes should never have access to your backup servers.

Cybersecurity awareness and employee training

One of the foremost tools in preventing ransomware attacks and improving cybersecurity is employee training. By ensuring employees know how to spot suspicious emails and identify malicious activity, you greatly reduce the risk of someone opening an infected attachment. Best practices include checking email senders, looking for letter and character swaps, and verifying all attachments with the sender via another channel before opening them.

What to do after a Maze ransomware attack

Despite strong security practices, ransomware attacks still happen. If Maze-style ransomware infects your network, the key to minimizing damage is to take quick, focused action.

Immediate containment steps

The greatest danger of Maze-style ransomware lies in its ability to spread from machine to machine. As soon as an infection is detected, treat it like a real-world virus outbreak. Isolate infected machines and disconnect them from the network, including unplugging Ethernet cables and shutting off Wi-Fi. It’s also a good idea to block file-sharing protocols across the entire network until the full extent of the infection can be identified.

However, don’t power off machines immediately if forensic investigation is needed. Some information is stored in temporary memory, and that can be lost if the system is shut down.

Incident response and forensic investigation

The next step is to try to identify the initial access point and determine the cause. This can be done by examining access logs, email gateways, and firewall records; however, a clear determination can be difficult to achieve, especially if the attackers used multiple vectors. From that point, try to create a timeline of the attack: how long has it been going on, how far has it moved, and what data, if any, has been compromised?

In addition, contact your company’s legal department. If any personal information was leaked, the company might be legally obligated to alert those affected. Any ransomware attack should be reported to law enforcement organizations, such as the FBI’s Internet Crime Complaint Center (IC3).

Legal and regulatory considerations

If a breach occurs, your company might be subject to specific regulatory procedures depending on the industry. For example, any U.S. organization involved in healthcare has to meet specific reporting requirements under the Health Insurance and Accountability Act (HIPAA), which generally require notification of affected individuals and regulators without unreasonable delay and no later than 60 days after discovery.

For companies handling the data of EU residents, the General Data Protection Regulation (GDPR) applies. This means that certain breaches must be reported to the relevant authorities within 72 hours where feasible, and affected parties must be promptly informed of any data breach involving sensitive personal information.

System recovery and data restoration

After the breach has been identified and stopped, recovery can begin. All recovery attempts should be conducted only after the network has been completely purged of ransomware and any other malware that might be present.

The best option is to restore systems and data from secure, offline backups. Where possible, this should be performed in a clean or isolated environment before reconnecting systems to the production network.

If viable backups aren’t available, recovery options are limited. Specialized ransomware decryptor tools may exist for certain variants, but they’re often ineffective against modern ransomware families like Maze.

The recovery phase also provides an opportunity to review system logs, identify how the intrusion occurred, and address gaps in patching, access controls, and monitoring to reduce the risk of a future compromise.

Is Maze ransomware still active?

Maze announced that it was disbanding in late 2020, with the group ceasing operations and directing all victims to a support chat to supposedly have their data removed. There has been no independent verification that the data was ever actually deleted.

While Maze no longer operates as an active ransomware group, many of the techniques and operational patterns associated with Maze have resurfaced in subsequent ransomware families, including Egregor and Sekhmet, which appeared shortly after Maze’s shutdown.

More broadly, Maze pioneered the modern double-extortion ransomware model, which is now widely used by active groups. While the malware code and group names have changed, the underlying strategy remains a persistent and evolving threat.