Maze Ransomware

Maze ransomware has been making the news non-stop since May 2019. Ransomware attacks on individuals, government departments, and large enterprises have become increasingly worrisome.

Once a Managed Service Provider or MSP is compromised, all client servers go down with it. This even includes business partners and investors. It can lead to an endless channel of destruction.

Although Maze ransomware was shut down in November 2020, Maze ransomware variants are still causing a lot of damage. They are ransomware threats that can not be ignored.

So, what exactly is Maze ransomware, and what makes it different from other ransomware variants? Let’s find out below!

What Is Maze Ransomware?

Maze ransomware is a malicious code with a 32-bit binary file. This could be disguised as a .dll or .exe file. Once Maze gains entry through an endpoint and affects an end user’s operating system, it starts working based on the following pattern:

  • Targets user files and encrypts them using an encryption key. The data is held hostage, and a ransom demand is made to release a decryption key.
  • Maze ransomware copies all user data so it can be sold illegally on platforms like the Dark Web. This is known as a data breach.
  • A Maze ransomware attack also creates backdoors so malicious actors/hackers can continually access the operating system. This access is used to launch Maze throughout a network, other networks, and all systems.

The sophisticated Maze code uses obfuscation tactics to evade security protocols and IT/security teams. A few organizations believed to have been attacked by Maze ransomware include Canon, Cognizant (Tech and consulting), and Conduent (Payment and HR infrastructure). This also includes the Mitre att ck.

Conduent provided services to 500 governments and Fortune 100 companies, so the damage was immense. The FBI had to release a warning.

5 Famous Maze Ransomware Attacks

Let us look at the top 5 ransomware threats that wreaked havoc:

Hammersmith Medicines Research

The IT department of the Hammersmith Medicines Research faced an attack on the 14th of March 2020.

This company was on standby as it was carrying trials for the Covid-19 vaccine. This same research center had also previously carried out tests to help develop vaccines and drugs for Alzheimer’s and Ebola.

The company refused to pay the ransom; in return, the hackers made the personal details of previous patients public. This was the opposite of what the company had promised days before the coronavirus pandemic hit.


The Maze ransomware group claimed they had stolen 100GB of data from Xerox in July 2021. Since Xerox is a printing company, many financial documents and databases were compromised with important user information.

Allied Universal

The Maze ransomware group attacked Allied Universal in November 2019. Around 700 MB of stolen data kept private by this security staffing company was made public as the company had surpassed the ransom deadline. The Maze group also claimed that what they had made public was only about 10% of the data they had stolen.


A Fortune 500 company, Cognizant, a global IT services provider, was attacked by Maze in April 2020.

The Cognizant Maze ransomware attack caused communication problems and destroyed internal directories. The sales department could not contact clients and vice versa. Financial losses of $50 to $70 million were estimated.

LG Electronics

LG Electronics’ sensitive data was taken away by Maze. The Maze group posted 3 screenshots to confirm the data breach.

Maze did not use LG’s network to execute an attack. They only leaked more data later on. Nearly 50.2 GB was stolen and published online on the Maze website.

How Does A Maze Ransomware Attack Work?

Let us now look at the steps of a Maze ransomware attack in detail below:

Initial Deployment Of Maze Ransomware

Often, Maze is deployed into a target operating system using spear phishing emails. These emails contain malicious links or attachments like a password-protected zip file or macro-enabled Microsoft Word document.

Attacks have shown that these documents are often named something that tempts users into clicking them, like Confidential Data Set or Quarterly Report, etc.

Once the malware is downloaded onto a system, the ransomware propagates. Maze also spreads laterally within networks to find higher access privileges. This leads to more damage.

The ransomware also starts encrypting files as soon as it lands on them, whether stored on the system hard drive or cloud storage.

Once encryption and data theft are complete, a ransom demand pops up on the screen. This message shows the attacker’s conditions and mode of payment. This is usually cryptocurrency.

Evasion Strategies

Maze ransomware evades security by starting with an encrypted zip attachment. This file has a password and a document with a macro. Email security solutions are unable to detect this ransomware threat:

  • The file cannot automatically be opened as it is password protected.
  • Zip files are not usually scanned.
  • Scanning macros is challenging.

Vulnerability Scanning

Malware launched into any system always scans a network for weaknesses. Network configuration vulnerabilities and any weakness in Active Directory attributes are used to aid further spreading.

Doing so also helps the ransomware get network insights and understand network intelligence. This way, spreading to other networks, devices, and systems is made easier.

Lateral Distribution 

Lateral movement is started as soon as Maze ransomware gets into a network. The malicious code first inspects the target system to find clues that can help it spread to other systems or networks.

It also scans for unprotected passwords. However, if these attempts fail, the ransomware uses brute force for unauthorized access to new user accounts.

Accessing Elevated Privileges

Lateral movement is not sufficient for cybercriminals; they keep looking to attain further access privileges and information to gain master control of the target system.

Once elevated privileges are acquired, the malware spreads faster and more easily.

How To Prevent Maze Ransomware Attacks?

Four main ways are used to protect systems/networks from Maze ransomware attacks:

Detecting Maze Before An Attack

Since most Maze attacks start with a spear phishing email, the best strategy is to use cloud email protection software. This way, the malware can be stopped long before it launches an attack and helps ward off damage.

Endpoint Protection 

Keeping endpoints secure from ransomware infections is another method to prevent attacks due to remote desktop protocol or remote system discovery. An RMM (Remote Monitoring and Management) tool is used to check if any system has already been compromised. This way, infected systems can be immediately isolated to prevent the spread of malware.

If any endpoint is compromised, make sure to assume any of the others can also be affected. Ensure to identify login credentials and check Windows Event Log to see who tried to gain access before an attack.

Hindering Lateral Movement

Since it is common for Maze to move laterally, an RMM tool is your best bet at protecting an entire corporate network. Machine isolation prevents spreading and eliminates the need to shut down and reconfigure entire networks.

Data Backups

Proper data backups are key to data recovery and ensuring a business can get back on track after an attack. This is also very important for MSPs as they have a lot of clients they are answerable to. Plus, losing client data will surely not end up well.

You can make use of several data backup solutions:

  • BCDR (Business Continuity and Disaster Recovery) looks after all business disaster, continuity, and recovery needs like file, server, PC, and SaaS app protection.
  • SaaS Protection that aids cloud-to-cloud backup for Google Workspace/Microsoft 365. This way, you can protect sensitive data, and it is always safe in cloud storage.

System And Software Patching

An operating system and security software like antivirus software, firewall, and anti-malware software must be kept updated at all times. Staying up to date eliminates the chance for Maze ransomware operators to use patches as a vulnerability to gain access.

Make sure also to always monitor unusual behavior or suspicious activity so that you can prevent a full-fledged attack.

Manage Account Privileges 

Good account management can minimize the chances of ransomware attacks. This method works on the zero trust model and least privileges.

Only system admins are allowed full access, whereas regular users are granted or denied access when an admin approves/disapproves it.

Dashboards help administrators to see all logged activity to identify any threats and security issues.

Enabling multi-factor authentication and proper password management with strong strength is also necessary. Encouraging web browser security and avoiding the download of documents as an administrator will ensure maximum security.

Disable Microsoft Office Macros

Macros are small programs that perform specific tasks. These often start up when an Excel or Word document is opened.

Editing mode and macros should not be allowed to execute automatically. The modus operandi of the Maze ransomware groups relies greatly on email compromise. Therefore, it is necessary to be extra vigilant.

Update Antivirus Software 

Cybersecurity is not sufficient without antivirus software. However, it is crucial to ensure it is updated and can ward off the latest ransomware variants.

Good software can detect, hunt, prevent and intervene in attacks. Most also offer endpoint protection.

A strong firewall to scan incoming traffic can pair up wonderfully with antivirus software to stop malicious encryption attempts.

Practice Safe Web Surfing

If you do not wish to become a victim of a Maze ransomware attack, then browser security is super important.

Keep your browser updated, never download extensions and block all pop-ups. Also, verify that the sites you visit are legit by glancing at the address bar. HTTPS is far more secure than HTTP.

If your employees use web apps, ensure you are aware of cybersecurity issues in external remote services and are ready to deal with them.

Email Security Solutions

Maze ransomware was initially distributed through spam emails. Therefore, being careful about opening the emails you receive is the utmost priority.

Always enable multi-factor authentication with strong passwords. Keep passwords with expiration dates to ensure all logins are legitimate.

Never open access links from unauthorized sources and download any suspicious attachments. You can also invest in an email security solution for extra protection.

Employee Training

Training your employees and ensuring they are aware of cybersecurity protocols will minimize the chances of an attack. They should be provided training on what is safe and what is not.

User awareness also helps a security team handle matters more easily. Any attempt will be communicated without delay since employees know what damage ransomware threats can cause.

Set up a communication channel through which they can do this to aid eradication.

Report To Law Enforcement Agencies

Getting your security teams and IT professionals on board is a good idea. However, opt for the alternative if you have faced a full-fledged attack and cannot find a solution other than paying the ransom.

The alternative is contacting law enforcement to help you out. In most regions, you can even get penalties for paying the ransom. Contacting law enforcement can also help you recover stolen data, as they often have proper programs and teams well-versed in ransomware attacks.


Maze malware and its variants can cause a lot of damage. Not only do these deploy file encryption to demand ransom, but they can also perform data theft to publish/sell data online. Therefore, strict security measures are crucial to keeping your company safe.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
SUBSCRIBE for more resources
Related Content

Agent-based SaaS Discovery

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.