Maze and Egregor Ransomware Operators Earned Over $75 Million in Bitcoin

Cybersecurity researchers from Analyst1 have calculated that the hackers behind the Maze and Egregor ransomware have already received over $75,000,000 in ransom payments from their victims. The company’s findings are based on transactions that researchers were able to trace on public blockchains.

Interestingly, the experts’ conclusions fully align with a similar report from Chainalysis, whose analysts believe that Maze is the third most profitable ransomware after Ryuk and Doppelpaymer.

Background on Maze and Egregor

The Maze hacker group first made its presence known in May 2019, offering their malware to other criminals under the RaaS (Ransomware-as-a-Service) model. While many other extortion groups operated in a similar way at the time, Maze made a name for itself by being the first to create a “leak site,” where hackers listed infected companies and published stolen data. This tactic has been used by extortionists as leverage against their victims and continues to be a common strategy.

For unknown reasons, the group stopped operating the Maze ransomware in the fall of 2020, and it was replaced by Egregor, which continued to use the same RaaS model. Soon after, many researchers began referring to the group behind Maze and Egregor as Twisted Spider.

Current Status and Law Enforcement Actions

Currently, Maze and Egregor rank second and third in terms of RaaS service activity, meaning that over the past year, they were responsible for attacking a quarter of all victims listed on “leak sites.”

At present, the criminals are inactive: the group ceased operations after French and Ukrainian authorities arrested three of its members in mid-February. According to The Record, citing a high-ranking French police official, one of those arrested was a key member of the group.