Menu
Browse

Cyber Threat Actor: Maze Team

Aliases: 8 aliases
Actor Type Location Known Incidents
 Icon
Criminal
Russia
50 incidents
Profile

The Maze ransomware group, also known as Maze Team, Maze Cartel, Maze Crew, or Maze Ransomware Cartel, operated as a financially motivated cybercriminal entity with activities publicly documented in 2020. This threat actor primarily targeted healthcare providers, educational institutions, and technology organizations across multiple regions, including the United States, Australia, and South Korea. Their operations consistently employed double-extortion tactics, combining data encryption with threats to publicly leak stolen sensitive information unless ransom demands were met. Maze maintained dedicated leak sites to publish exfiltrated data as leverage, often releasing partial datasets to substantiate compromise claims. The group demonstrated a pattern of attacking entities handling sensitive personal or proprietary data, including patient medical records, student information, and corporate intellectual property.

Notable incidents attributed to Maze include attacks against healthcare providers such as Ventura Orthopedics and Australian aged care operators, where stolen patient records containing identifiers and medical details were leaked. The group simultaneously listed victims like Fairfax County Public Schools and Toledo Public Schools, compromising personally identifiable information of students and staff while disrupting educational operations. Maze’s compromise of semiconductor manufacturer SK hynix exemplified supply chain targeting, with leaked documents revealing confidential agreements with technology firms. Canon’s ransomware incident highlighted Maze’s capacity to disrupt critical business services, including cloud platforms causing permanent data loss. While the group’s Russian location was identified, no explicit state affiliation or criminal consortium ties were publicly confirmed. Maze frequently collaborated opportunistically with other ransomware operators, as evidenced by Conti-Ryuk’s parallel data leaks from shared healthcare victims, though the nature of these relationships remained unclear. Their operations relied on established ransomware tradecraft centered on data exfiltration and psychological pressure through public shaming of victims.

Incidents
Attributed incidents available to members
50 incidents
Sources
Sources available to members
0 sources