Maze/Egregor ransomware cartel estimated to have made $75 million | The Record by Recorded Future
Maze/Egregor ransomware cartel estimated to have made $75 million
By Catalin Cimpanu
. April 9, 2021
The group behind the Maze and Egregor ransomware operations are believed to have earned at least $75 million worth of Bitcoin from ransom payments following intrusions at companies all over the world.
“We believe this figure to be much more significant, but we can only assess the publicly acknowledged ransom payments. Many victims never publicly report when they pay a ransom,” security firm Analyst1 said in a 58-page report [PDF] published this week.
Analyst1’s findings are in line with a similar report from blockchain analysis firm Chainalysis, which listed the Maze gang as the third most profitable ransomware operation —behind Ryuk and Doppelpaymer.
A previous report estimated Ryuk’s earnings at around $150 million. Doppelpaymer figures are not available.
Maze – a pioneering ransomware threat actor
But these high earnings are not an accident. The Maze gang is an infamous name in cybersecurity circles. The group began operating in May 2019, when the first samples of the Maze ransomware were seen in the wild.
The group managed a so-called RaaS (Ransomware-as-a-Service), allowing other cybercrime actors to rent access to their ransomware strain. These customers, also called affiliates, would breach companies and deploy the Maze gang’s ransomware as a way to encrypt files and extort payments.
But while there were plenty of ransomware gangs operating on similar RaaS schemes, the Maze group made a name for itself by creating a “leak site” where they’d often list companies they infected, which was a novelty at the time, in December 2019.
The idea was to put pressure on victims to pay their ransom demands and have their names removed from the site. If victims refused, Maze operators would start leaking samples of data they stole from victim networks before they encrypted their data. Victims who restored from backups and refused to pay often had tens of GB of internal files leaked online.
Maze-leak-site
However, for reasons still unknown today, the group switched its backend operations in the fall of 2020, when it rolled out a new RaaS for the Egregor ransomware strain while shutting down the Maze RaaS in November 2020.
But as several security firms had eventually discovered in late 2020, the Egregor ransomware contained code similar to the older Maze variant, and the group continued with the same extortion tactics, allowing investigators to formally link the two operations.
egregor-ransomware-leak-site
It’s also due to this overlap between the two services that security researchers began calling the Maze+Egregor group under the name of Twisted Spider.
One of the most active threats last year
But this branding change did not affect the gang’s success.
In fact, both Maze and Egregor ranked as the second and third most active RaaS services on the market, accounting for nearly a quarter of all victims listed on leak sites last year.
According to Analyst1’s report published this week, this heightened period of activity also translated into monetary profits, based on transactions the company was able to track on public blockchains.
However, this success also drew attention from law enforcement, which began investing heavy resources into investigating and tracking down the group.
Currently, the Maze/Egregor group is on a hiatus, having ceased operations after French and Ukrainian officials arrested three of their members in mid-February, including a member of its core team, a high-ranking French police official told The Record last month.
Besides a deep dive into Twisted Spider operations, the Analyst1 report also looks at other ransomware gangs, which the security firm claims are operating on a cartel model, where they interact and help each other for the sole purpose of boosting their profits by any means.
By Catalin Cimpanu
. April 9, 2021
The group behind the Maze and Egregor ransomware operations are believed to have earned at least $75 million worth of Bitcoin from ransom payments following intrusions at companies all over the world.
“We believe this figure to be much more significant, but we can only assess the publicly acknowledged ransom payments. Many victims never publicly report when they pay a ransom,” security firm Analyst1 said in a 58-page report [PDF] published this week.
Analyst1’s findings are in line with a similar report from blockchain analysis firm Chainalysis, which listed the Maze gang as the third most profitable ransomware operation —behind Ryuk and Doppelpaymer.
A previous report estimated Ryuk’s earnings at around $150 million. Doppelpaymer figures are not available.
Maze – a pioneering ransomware threat actor
But these high earnings are not an accident. The Maze gang is an infamous name in cybersecurity circles. The group began operating in May 2019, when the first samples of the Maze ransomware were seen in the wild.
The group managed a so-called RaaS (Ransomware-as-a-Service), allowing other cybercrime actors to rent access to their ransomware strain. These customers, also called affiliates, would breach companies and deploy the Maze gang’s ransomware as a way to encrypt files and extort payments.
But while there were plenty of ransomware gangs operating on similar RaaS schemes, the Maze group made a name for itself by creating a “leak site” where they’d often list companies they infected, which was a novelty at the time, in December 2019.
The idea was to put pressure on victims to pay their ransom demands and have their names removed from the site. If victims refused, Maze operators would start leaking samples of data they stole from victim networks before they encrypted their data. Victims who restored from backups and refused to pay often had tens of GB of internal files leaked online.
Maze-leak-site
However, for reasons still unknown today, the group switched its backend operations in the fall of 2020, when it rolled out a new RaaS for the Egregor ransomware strain while shutting down the Maze RaaS in November 2020.
But as several security firms had eventually discovered in late 2020, the Egregor ransomware contained code similar to the older Maze variant, and the group continued with the same extortion tactics, allowing investigators to formally link the two operations.
egregor-ransomware-leak-site
It’s also due to this overlap between the two services that security researchers began calling the Maze+Egregor group under the name of Twisted Spider.
One of the most active threats last year
But this branding change did not affect the gang’s success.
In fact, both Maze and Egregor ranked as the second and third most active RaaS services on the market, accounting for nearly a quarter of all victims listed on leak sites last year.
According to Analyst1’s report published this week, this heightened period of activity also translated into monetary profits, based on transactions the company was able to track on public blockchains.
However, this success also drew attention from law enforcement, which began investing heavy resources into investigating and tracking down the group.
Currently, the Maze/Egregor group is on a hiatus, having ceased operations after French and Ukrainian officials arrested three of their members in mid-February, including a member of its core team, a high-ranking French police official told The Record last month.
Besides a deep dive into Twisted Spider operations, the Analyst1 report also looks at other ransomware gangs, which the security firm claims are operating on a cartel model, where they interact and help each other for the sole purpose of boosting their profits by any means.