Maze
Maze ransomware group is one of the most known ransomware gangs, they targeted organizations worldwide across many industries. Security researchers believed that Maze operates as an affiliated network model. MAZE was one of the first groups that made a 'Double Extortion Attack' involved Allied Universal, in November 2019, the group leaks their victim's data in the darknet. On November 1, 2020, MAZE announced an official press release that they are closing their operation. is malware targeting organizations worldwide across many industries. Security researchers claim that the threat actor behind the MAZE group is 'TA2101'.
Victims
59
First Discovered
2019-10-21
victim
Last Discovered
2020-09-11
victim
Inactive Since
5yrs
more than
Avg Delay
N/A
attack→claim
Infostealer
100.0%
victims with domain
Countries
12
hit
Known Locations (1)
| Favicon | Title | Type | Available | Last Visit | Server Info | FQDN | |
|---|---|---|---|---|---|---|---|
|
No | 2026-04-28T07:24:57 |
xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onion
|
Target
Top 5 Activity Sectors
- Manufacturing 14
- Technology 9
- Financial Services 7
- Healthcare 5
- Business Services 4
Top 5 Countries
-
United States
39
-
Australia
2
-
Thailand
2
-
United Arab Emirates
2
-
United Kingdom
2
Heatmap
Ransom Notes (1)
Tools Used
| Discovery | RMM Tools | Defense Evasion | Credential Theft | OffSec | Networking | LOLBAS | Exfiltration |
|---|---|---|---|---|---|---|---|
|
AdFind
Advanced IP Scanner
Bloodhound
PingCastle
PowerView
ShareFinder
|
|
|
Mimikatz
ProcDump
|
Cobalt Strike
Metasploit
Meterpreter
PowerSploit
|
|
PsExec
WMIC
|
WinSCP
|
TTPs Matrix (9)
| Initial Access | Execution | Defense Evasion | Credential Access | Discovery | Lateral Movement | Exfiltration | Command and Control | Impact |
|---|---|---|---|---|---|---|---|---|
| Drive-by Compromise | Command and Scripting Interpreter: PowerShell | Signed Binary Proxy Execution: Rundll32 | OS Credential Dumping: LSASS Memory | Remote System Discovery | Remote Services: Remote Desktop Protocol | Exfiltration Over Web Service | Application Layer Protocol: Web Protocols | Data Encrypted for Impact |
| Exploit Public-Facing Application | Exploitation for Client Execution | Disable or Modify Tools | Network Service Discovery | Remote Services: SMB/Windows Admin Shares | Inhibit System Recovery | |||
| Phishing: Spearphishing Attachment |
YARA Rules (1)
Victims (59)
