Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
71
Global rank
119 infographic chevron month
Month rank
118 infographic chevron week
Week rank
0
IOCs

Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data.

Ransomware
Type
Unknown
Origin
29 May, 2019
First seen
7 October, 2025
Last seen
Also known as
ChaCha

How to analyze Maze with ANY.RUN

Type
Unknown
Origin
29 May, 2019
First seen
7 October, 2025
Last seen

IOCs

IP addresses
194.156.98.89
80.92.205.135
124.156.138.199
92.38.178.246
194.85.1.47
45.144.31.55
45.140.147.172
195.123.247.73
45.153.231.67
45.153.231.103
104.168.201.35
192.99.172.143
192.119.106.235
80.249.146.61
91.208.184.174
54.39.233.188
104.168.201.47
149.56.245.196
37.1.210.52
94.232.40.167
Hashes
f9dfdce85f83d7a416ecc162a9f68643357b1fd10ea29e6b2cd934b967192a74
c32c9f254ca09bea50b5ccb840f15a7b79ecae580625b6070d4283483a7da987
c7fb04d2fc49fdb1215a256757b27d06d71c4797e28ad5c4de6456271f61616e
5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
f03172bd32ed16df6dda8e8146d24b073b864da59d669218fcc5e97835a5e956
ebbb5ac2be538edff5560ef74b996a3fbc3589b3063074c5037da05acd6374d2
7c03b49d24c948f838b737fb476d57849a1fd6b205f94214bf2a5a3b7a36f17a
c040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc
ec672b8395b72dfc14c11a5fecd1dd85356a72a106656a1d67fdd8f8162f6efe
877c735650488f81807239a0ca564c8faa660a8c9141a9aba2049b9fe1d5b2fb
806fc33650b7ec35dd01a06be3037674ae3cc0db6ba1e3f690ee9ba9403c0627
02d881e51d79ace66f90eaf66628ed94617d25d18e301470995102a299ee2a03
58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806
7656d6519e0305bd95d4228387ffcd7b419ed7ede733b077755d1773f24302b1
9ce40c2bc1fee220bd750cbae491e70b21dc361c961020f7b35b7a360861f89f
2400a3e1e3b4092824d483f5fcff25a22d357fce246031befa7e2e402c110a73
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e
11f033cabac0cc005a78a61c9d4fa05041102b4ad3aa775121c5fc583a533b41
3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363
Domains
mazedecrypt.top
mazenews.online
officecloud.top
xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onion
aoacugmutagkwctu.onion
globalsign.icu
ocspverisign.pw
mazenews.top
newsmaze.top
jardinaix.fr
tosayoj.com
letwiki.com
work.time12.cf
ns1.sunnykkf.xyz
extrsports.ru
cloud20.tk
corpsolution.net
sicurezza.me
aloha-edc.net
bezahlen-1und1.icu
URLs
http://92.63.37.100/tracker/payout/utfwepaoto.action
http://92.63.8.47/yenlqrhxdr.cgi
http://91.218.114.4/sxugdkuelw.php
http://91.218.114.4/webauth/pv.php
http://92.63.8.47/post/mfriu.action
http://92.63.8.47/login/webauth/sbj.php
http://92.63.194.20/ticket/gdkl.html
http://92.63.37.100/check/hvijbdlfw.aspx
http://92.63.32.2/create/task/q.jsp
http://92.63.8.47/hjemb.shtml
http://92.63.37.100/view/spgal.asp
http://92.63.8.47/post/signout/kqyiarwtf.aspx
http://91.218.114.4/burkuw.asp
http://91.218.114.4/analytics/webaccess/cilrlfue.cgi
http://91.218.114.4/n.jsp
http://91.218.114.4/news/post/punqxrc.asp
http://92.63.8.47/content/ygqcmqsxc.action
http://92.63.8.47/task/view/rrahjydic.html
http://92.63.8.47/payout/webauth/qmeklhwix.jsp
http://92.63.8.47/vhwrkeolmn.action
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 143
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 497
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 3572
comments 0

What is Maze malware?

Maze, also called ChaCha, is ransomware — a malicious program that encrypts files of the victim and demands a ransom in exchange for a decryption key that restores information. A defining feature of Maze is that it publically releases sensitive files to the public unless the ransom is paid.

Maze ransomware has been operating actively since 2019 and, unfortunately, the attack volume from this malware has been on a steady rise since that time.

General description of Maze ransomware

It’s not a new strategy among ransomware operators to issue threats about making sensitive data public unless the victim gives in to the demands of the criminals. However, before the occurrence of Maze, most of these threats remained largely idle. They served as a psychological weapon, helping threat actors to strongarm victims into paying.

However, the situation changed drastically with Maze.

In November 2019, the group behind Maze managed to infiltrate Allied Universal: one of the leading private security companies in the US. The cyber gang claimed that they have gained complete control of the Allied network and threatened to make the data public unless the company paid up.

Allied Universal decided to ignore the demands. In reply, hackers behind the virus first contacted a well-known computer help site, asking them to publish a story about the attack to serve as a public warning. When the website declined, the Maze gang uploaded 700MB worth of sensitive information on an underground forum. The data included lists of active users, email certificates, encryption keys, and more.

In another Maze ransomware attack, 2GB of files belonging to the City of Pensacola were made public. The attack severely damaged the computer network of Pensacola, forcing it to temporarily shut down the network. As per the data breach, the virus's actors declared that the information was leaked as evidence, showing how deeply they managed to infiltrate the network.

This is a very important point about Maze. Researchers should note that largely after Maze’s occurrence ransomware attacks can be considered data breaches, as more and more ransomware strains gain the ability to infiltrate networks and perform data-stealing activities before encrypting the files.

Furthermore, with the case of Maze, even backups are not safe. Actually, sometimes they become a week point. Maze creators revealed that after infecting the initial endpoint, their ransomware targets cloud backups by laterally spreading through the network and stealing needed credentials. This is useful for threat actors not only because it allows deleting the backup before encryption, but also because that backup most likely contains the most valuable data.

Unfortunately, this tactic has proved effective as at least one company fell victim to it and lost its backups. Of course, an incident like this can only happen if backup credentials are stored in the compromised network, thus correct backup configuration is incredibly important.

It should also be noted that the virus uses several advanced code obfuscation techniques that make static analysis very complicated. Threat actors behind the virus evidently stay on top of the progress done by security researchers on their malware. They contact cybersecurity media and like to tease industry professionals and play cat and mouse.

Maze malware analysis

In this video recorded in the ANY.RUN interactive malware hunting service we can view how the Maze execution unfolds.

maze_ransomware_process_graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

maze_ransomware_note

Figure 2: Wallpapers with ransom message set by Maze

Maze execution process

The execution process of Maze is kind of typical for this type of malware, for example Phobos or Sodinokibi. After the executable file makes its way into an infected system and runs, the main malicious activity begins. After the start of execution, the ransomware deletes shadow copies. After it encrypts all targeted files, Maze drops a ransom note on the desktop. It also often changes the wallpaper to its own with a ransom text.

Notably, just like Sodinokibi aka REvil ransomware, this family has a similar infrastructure — websites with "tech support", information about cryptocurrency and ways to buy it, trial decryption, and chat. Crooks behind the Maze ransomware are also kind of cocky and post links to the information about their successful attacks on their website.

Maze ransomware distribution

Maze is distributed using several different ways. It has utilized the Spelevo and Fallout exploit kits and one of the vulnerabilities that Maze is targeting is the CVE-2018-15982 vulnerability in Flash Player. It is also worth noting that in the case of the Fallout kit, the users were redirected to the exploit from a fake cryptocurrency trading platform.

Another observed attack vector is via email spam campaigns containing a Microsoft Office document with a malicious macro.

How to detect Maze malware?

Maze ransomware can be detected by many different activities — sometimes it creates certain files or it can be detected by Suricata network threats. The most common is the Maze ransom note — not only does it have similarities with notes from other tasks, but it also contains self-defining strings: maze ransomware, mazedecrypt, and maze key.

Analysts can take a look at these notes by using ANY.RUN Static Discovering. Click on the "Files modification" tab, then find the file with the name such as " DECRYPT-FILES.txt". To take a look inside this file just click on it.

If you find word combinations such as "maze ransomware", "mazedecrypt" and "maze key", then be sure this sample is Maze ransomware.

how_to_detect_maze_ransomware

Figure 3: How to detect Maze ransomware by its ransom note?

Conclusion

Maze is a significant threat to organizations and private users. This virus not only encrypts information but also strong-arms the victims into paying the ransom, threatening to release sensitive information. Unfortunately, Maze launched a little bit of a trend among threat actors and more and more ransomware in the wild is starting to exhibit similar behavior.

The situation is further complicated by advanced code obfuscation techniques that the Maze features, making the static analysis process quite difficult. Thankfully, interactive malware analysis services like ANY.RUN allows to carry out dynamic analysis almost as quickly and easily as static, giving researchers a chance to collect invaluable information about this ransomware.

P.S.

maze team press release screenshot Figure 4: Screenshot of the Maze team press release

On the 1st November 2020, the "team" behind the Maze ransomware published their pretentious press release about the end of the "project" and it has shut down its operations. Unlike some other groups behind ransomware, they haven't published the encryption keys.

HAVE A LOOK AT

Fog Ransomware screenshot
Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More
Remote Access Trojan screenshot
Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More