Navigating MAZE: Ransomware Trends

Since November 2019, Mandiant experts have seen MAZE ransomware being used in attacks combining targeted ransomware use, public exposure of victim data, and an affiliate model. Malicious actors have actively deployed MAZE ransomware since at least May 2019. The ransomware was initially distributed via spam emails and exploit kits before later shifting to being deployed post-compromise.


Multiple actors are involved in MAZE ransomware operations according to our observations of alleged users in underground forums and distinct tactics, techniques, and procedures (TTPs) across Mandiant incident response engagements. Actors behind MAZE also maintain a public-facing website where they post data stolen from victims who refuse to pay an extortion fee.


Because MAZE combines two damaging intrusion outcomes—dumping sensitive data and disrupting enterprise networks—with a criminal service, it is a notable threat to many organizations. This article is based on information derived from numerous Mandiant incident response engagements and our own research into the MAZE ecosystem and operations.

Mandiant Threat Intelligence experts presented this idea and answered questions during the May 21 webinar.


Since November 2019, Mandiant analysts have become aware of more than 100 alleged MAZE victims reported by various media outlets and the MAZE website. Targeted organizations have been primarily based in North America, but spanned nearly every geographical region. Almost every industry sector—including manufacturing, legal, financial services, construction, healthcare, technology, retail, and government—has been impacted, demonstrating the indiscriminate nature of these operations (Fig. 1).

Figure 1: Countries impacted by MAZE ransomware

Pie chart

Figure 2: Industries impacted by MAZE ransomware

Industries impacted

Multiple MAZE Ransomware Actors Identified

Mandiant identified multiple Russian-speaking actors who claimed to use MAZE ransomware and were seeking partners to fulfill different functional roles within their teams. A panel used to manage targeted victims includes a section for affiliate transactions. This is consistent with Mandiant’s assessment that MAZE operates under an affiliate model and is not distributed by a single group. Under this business model, ransomware developers will partner with other actors (affiliates) who are responsible for distributing the malware.

MAZE Initially Distributed via Exploit Kits and Spam

MAZE ransomware was initially distributed directly via exploit kits and spam campaigns through late 2019. For example, in November 2019, Mandiant observed multiple email campaigns delivering Maze ransomware primarily to individuals at organizations in Germany and the United States, although a significant number of emails were also delivered to entities in Canada, Italy, and South Korea. These emails used tax, invoice, and package delivery themes with document attachments or inline links to documents that download and execute MAZE ransomware.

Shift to Post-Compromise Distribution Maximizes Impact

Actors using MAZE have increasingly shifted to deploying the ransomware post-compromise. This methodology provides an opportunity to infect more hosts within a victim’s environment and exfiltrate data that is used to apply additional pressure on organizations to pay extortion fees. In some cases, the actors behind these operations charge a fee for the non-release of stolen data, in addition to the fee for decryption key.


Based on our belief that the MAZE ransomware is distributed by multiple actors, we anticipate that the TTPs used in incidents associated with this ransomware will continue to vary, particularly in terms of the initial intrusion vector.

For effective countermeasures, read our Ransomware Protection and Containment Strategies blog post and the linked white paper.