Maze

Last Updated Apr 28, 2026

Also known as: ChaCha, Maze

Maze is a ransomware operation known for being the first to implement double extortion tactics.

🌍 Country Unknown

📅 Activity 2019 — 2020

📝 Last Updated Apr 28, 2026

⚡ Risk Level High

Healthcare Legal Technology

2019

2020

Introduction

Maze is a ransomware operation known for being the first to implement double extortion tactics.

Activities and Tactics

Targeted Sectors: Healthcare, Legal, Technology

Country of Origin: 🏳️ Unknown

Risk Level: High

First Seen: 2019

Last Activity: 2020

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

Ransomware Tool Matrix observations

Category	Observed tools
Credential Theft	Mimikatz, ProcDump
Discovery	AdFind, Advanced IP Scanner, Bloodhound, PingCastle, PowerView, ShareFinder
Exfiltration	WinSCP
LOLBAS	PsExec, WMIC
OffSec	Cobalt Strike, Metasploit, Meterpreter, PowerSploit

Attribution and Evidence

Country of Origin: Unknown Additional attribution information pending cataloguing.

References

References pending cataloguing.

Source Attribution

Structured source: MISP Galaxy

Manually curated from open source intelligence

Additional source provenance

misp galaxy Dataset
BushidoUK Ransomware Tool Matrix Tool observations were reviewed from the BushidoUK Ransomware Tool Matrix (https://github.com/BushidoUK/Ransomware-Tool-Matrix). The matrix is used here as a secondary ransomware tradecraft reference, not as sole attribution evidence. Repository Dataset

Source and license policy

🔍 Quick Filters

Top Countries

Risk Distribution

High

161

Critical

Low

Medium