Cyber Threat Actor: Maze Ransomware operators
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
United States of America
|
2 incidents |
|---|
Profile
The threat actor known as Maze Ransomware operators, also tracked as TA2101, is a cybercriminal group that has been identified as operating from the United States of America. The group uses the alias Maze to refer to its ransomware operations and the associated leak‑site infrastructure that it maintains for extortion purposes. Publicly reported activity shows that the actors have targeted organizations in the manufacturing and healthcare sectors, with victims located in Vietnam and the United States. Their primary objective appears to be financial gain through the deployment of ransomware coupled with threats to release stolen data, a model commonly described as double extortion.
Observed tactics include the use of the Maze ransomware malware family to encrypt files after first exfiltrating sensitive data from the victim network. The actors consistently employ a double‑extortion model, uploading samples of the stolen information to a public leak site and threatening to publish the remainder unless a ransom is paid. In the healthcare incident, filenames were structured to reveal protected health information without opening the files, increasing the pressure on the victim. While specific initial‑access vectors are not detailed in the available reports, the pattern of data theft prior to encryption indicates that the actors gained sufficient network presence to harvest credentials or exploit vulnerabilities before deploying the ransomware. Their tooling style is characterized by the creation of dedicated leak sites where they host and distribute exfiltrated files, a practice that distinguishes them from ransomware groups that rely solely on encryption.
Two representative incidents illustrate the group’s methodology: in August 2020 they compromised a Vietnamese steel manufacturer, exfiltrating a 1.64 GB archive containing employee offer letters, photographs, resumes, academic records and identity cards, of which they leaked approximately 5 % while threatening further disclosure of the remaining data. In the same month they attacked a U.S. healthcare provider, posting a sample of patient records that included names, dates of birth, medications and diagnostic results on their leak site before a second ransomware group later posted additional files, highlighting the potential for overlapping extortion efforts. Although the healthcare victim maintained operational backups and no ransom payment was confirmed, the steel manufacturer faced public disclosure of personal information. To date, no public attribution links Maze to a state sponsor or a larger criminal consortium, and the group’s activities are described solely as financially motivated cybercrime.
