As the developers of the Maze ransomware announce their exit from the malware scene, clients are now thought to be turning to Egregor as a substitute.
The Maze group has been a devastating force for companies that have fallen victim to the cybercriminals over the past year.
What has separated Maze in the past from many other threat groups are practices following infection. Maze would attack a corporate resource, encrypt files or just focus on stealing proprietary data, and then demanded payment -- often reaching six figures[1] -- in cryptocurrency.
If extortion attempts fail, the group would then create an entry on a dedicated Dark Web portal and release the data they have stolen. Canon[2], LG, and Xerox[3] are reported to be among organizations previously struck by Maze.
See also: Ransomware operators now outsource network access exploits to speed up attacks[4]
However, on November 1, the Maze group announced its "retirement," noting that there is no "official successor" and support for the malware would end after one month.
Malwarebytes noted a drop-off[5] in infections since August and so say that withdrawal from the scene is "not really" an unexpected move.
However, that doesn't mean that previous customers of Maze would also quit the market, and the researchers suspect that "many of their affiliates have moved to a new family" known as Egregor, a spin-off of Ransom.Sekhmet[6].
According to an analysis conducted by Appgate[7], Egregor has been active since mid-September this year, and in this time, has been linked to alleged attacks against organizations including GEFCO and Barnes & Noble[8].
Egregor has also been associated with the Ransomware-as-a-Service (RaaS) model, in