Threat Actor Profile
Description
Maze ransomware group is one of the most known ransomware gangs, they targeted organizations worldwide across many industries. Security researchers believed that Maze operates as an affiliated network model. MAZE was one of the first groups that made a 'Double Extortion Attack' involved Allied Universal, in November 2019, the group leaks their victim's data in the darknet. On November 1, 2020, MAZE announced an official press release that they are closing their operation. is malware targeting organizations worldwide across many industries. Security researchers claim that the threat actor behind the MAZE group is 'TA2101'.
Confidence Score
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Maze ransomware group is one of the most known ransomware '
'gangs, they targeted organizations worldwide across many '
'industries. Security researchers believed that Maze operates '
'as an affiliated network model. MAZE was one of the first '
"groups that made a 'Double Extortion Attack' involved Allied "
"Universal, in November 2019, the group leaks their victim's "
'data in the darknet. On November 1, 2020, MAZE announced an '
'official press release that they are closing their operation. '
'is malware targeting organizations worldwide across many '
'industries. Security researchers claim that the threat actor '
"behind the MAZE group is 'TA2101'.",
'firstseen': '2019-10-21T00:00:00+00:00',
'group': 'maze',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2020-09-11T00:00:00+00:00',
'locations': [{'available': False,
'fqdn': 'xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onion',
'slug': 'http://xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onion',
'title': '',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onion',
'slug': 'http://xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onion',
'title': '',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'ransomware_live_group': 'maze',
'tools': {'CredentialTheft': ['Mimikatz', 'ProcDump'],
'DefenseEvasion': [],
'DiscoveryEnum': ['AdFind',
'Advanced IP Scanner',
'Bloodhound',
'PingCastle',
'PowerView',
'ShareFinder'],
'Exfiltration': ['WinSCP'],
'LOLBAS': ['PsExec', 'WMIC'],
'Networking': [],
'Offsec': ['Cobalt Strike',
'Metasploit',
'Meterpreter',
'PowerSploit'],
'RMM-Tools': []},
'url': 'https://www.ransomware.live/group/maze',
'victims': 59,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['Mimikatz', 'ProcDump'],
'DefenseEvasion': [],
'DiscoveryEnum': ['AdFind',
'Advanced IP Scanner',
'Bloodhound',
'PingCastle',
'PowerView',
'ShareFinder'],
'Exfiltration': ['WinSCP'],
'LOLBAS': ['PsExec', 'WMIC'],
'Networking': [],
'Offsec': ['Cobalt Strike',
'Metasploit',
'Meterpreter',
'PowerSploit'],
'RMM-Tools': []},
'ttps': [],
'url': 'https://www.ransomware.live/group/maze',
'victims': 59,
'vulnerabilities': []}