[BreachExchange] Maze/Egregor ransomware cartel estimated to have made $75 million

[Destry Winant]

https://therecord.media/maze-egregor-ransomware-cartel-estimated-to-have-made-75-million/

The group behind the Maze and Egregor ransomware operations are
believed to have earned at least $75 million worth of Bitcoin from
ransom payments following intrusions at companies all over the world.

“We believe this figure to be much more significant, but we can only
assess the publicly acknowledged ransom payments. Many victims never
publicly report when they pay a ransom,” security firm Analyst1 said
in a 58-page report [PDF] published this week.

Analyst1’s findings are in line with a similar report from blockchain
analysis firm Chainalysis, which listed the Maze gang as the third
most profitable ransomware operation —behind Ryuk and Doppelpaymer.

A previous report estimated Ryuk’s earnings at around $150 million.
Doppelpaymer figures are not available.

Maze – a pioneering ransomware threat actor

But these high earnings are not an accident. The Maze gang is an
infamous name in cybersecurity circles. The group began operating in
May 2019, when the first samples of the Maze ransomware were seen in
the wild.

The group managed a so-called RaaS (Ransomware-as-a-Service), allowing
other cybercrime actors to rent access to their ransomware strain.
These customers, also called affiliates, would breach companies and
deploy the Maze gang’s ransomware as a way to encrypt files and extort
payments.

But while there were plenty of ransomware gangs operating on similar
RaaS schemes, the Maze group made a name for itself by creating a
“leak site” where they’d often list companies they infected, which was
a novelty at the time, in December 2019.

The idea was to put pressure on victims to pay their ransom demands
and have their names removed from the site. If victims refused, Maze
operators would start leaking samples of data they stole from victim
networks before they encrypted their data. Victims who restored from
backups and refused to pay often had tens of GB of internal files
leaked online.

However, for reasons still unknown today, the group switched its
backend operations in the fall of 2020, when it rolled out a new RaaS
for the Egregor ransomware strain while shutting down the Maze RaaS in
November 2020.

But as several security firms had eventually discovered in late 2020,
the Egregor ransomware contained code similar to the older Maze
variant, and the group continued with the same extortion tactics,
allowing investigators to formally link the two operations.

It’s also due to this overlap between the two services that security
researchers began calling the Maze+Egregor group under the name of
Twisted Spider.

One of the most active threats last year

But this branding change did not affect the gang’s success.

In fact, both Maze and Egregor ranked as the second and third most
active RaaS services on the market, accounting for nearly a quarter of
all victims listed on leak sites last year.

According to Analyst1’s report published this week, this heightened
period of activity also translated into monetary profits, based on
transactions the company was able to track on public blockchains.

However, this success also drew attention from law enforcement, which
began investing heavy resources into investigating and tracking down
the group.

Currently, the Maze/Egregor group is on a hiatus, having ceased
operations after French and Ukrainian officials arrested three of
their members in mid-February, including a member of its core team, a
high-ranking French police official told The Record last month.

Besides a deep dive into Twisted Spider operations, the Analyst1
report also looks at other ransomware gangs, which the security firm
claims are operating on a cartel model, where they interact and help
each other for the sole purpose of boosting their profits by any
means.