Maze/Egregor ransomware cartel estimated to have made $75 million

The group behind the Maze and Egregor ransomware operations are believed to have earned at least $75 million worth of Bitcoin from ransom payments following intrusions at companies all over the world.

"We believe this figure to be much more significant, but we can only assess the publicly acknowledged ransom payments. Many victims never publicly report when they pay a ransom," security firm Analyst1 said in a 58-page report [PDF] published this week.

Analyst1's findings are in line with a similar report from blockchain analysis firm Chainalysis, which listed the Maze gang as the third most profitable ransomware operation —behind Ryuk and Doppelpaymer.

A previous report estimated Ryuk's earnings at around $150 million. Doppelpaymer figures are not available.

Maze - a pioneering ransomware threat actor

But these high earnings are not an accident. The Maze gang is an infamous name in cybersecurity circles. The group began operating in May 2019, when the first samples of the Maze ransomware were seen in the wild.

The group managed a so-called RaaS (Ransomware-as-a-Service), allowing other cybercrime actors to rent access to their ransomware strain. These customers, also called affiliates, would breach companies and deploy the Maze gang's ransomware as a way to encrypt files and extort payments.

But while there were plenty of ransomware gangs operating on similar RaaS schemes, the Maze group made a name for itself by creating a "leak site" where they'd often list companies they infected, which was a novelty at the time, in December 2019.

The idea was to put pressure on victims to pay their ransom demands and have their names removed from the site. If victims refused, Maze operators would start leaking samples of data they stole from victim networks before they encrypted their data. Victims who restored from backups and refused to pay often had tens of GB of internal files leaked online.


However, for reasons still unknown today, the group switched its backend operations in the fall of 2020, when it rolled out a new RaaS for the Egregor ransomware strain while shutting down the Maze RaaS in November 2020.

But as several security firms had eventually discovered in late 2020, the Egregor ransomware contained code similar to the older Maze variant, and the group continued with the same extortion tactics, allowing investigators to formally link the two operations.


It's also due to this overlap between the two services that security researchers began calling the Maze+Egregor group under the name of Twisted Spider.

One of the most active threats last year

But this branding change did not affect the gang's success.

In fact, both Maze and Egregor ranked as the second and third most active RaaS services on the market, accounting for nearly a quarter of all victims listed on leak sites last year.

According to Analyst1's report published this week, this heightened period of activity also translated into monetary profits, based on transactions the company was able to track on public blockchains.

However, this success also drew attention from law enforcement, which began investing heavy resources into investigating and tracking down the group.

Currently, the Maze/Egregor group is on a hiatus, having ceased operations after French and Ukrainian officials arrested three of their members in mid-February, including a member of its core team, a high-ranking French police official told The Record last month.

Besides a deep dive into Twisted Spider operations, the Analyst1 report also looks at other ransomware gangs, which the security firm claims are operating on a cartel model, where they interact and help each other for the sole purpose of boosting their profits by any means.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.