S0449: Maze
Analyst context for executives and security teams
Maze is a Windows ransomware family associated in ATT&CK with both file encryption and pre-encryption information theft used for extortion. For leaders, the important point is not only workstation or server downtime; it is the combined business risk of operational disruption, data exposure, recovery pressure, and public disclosure risk.
Executive priority
Treat this as a resilience and incident-readiness scenario: can the organization detect suspicious execution, discovery, persistence, recovery inhibition, and encryption activity before business processes are interrupted? Executives should validate backup recoverability, data-theft response procedures, legal/compliance escalation paths, and whether SOC coverage includes the Windows behaviors ATT&CK associates with Maze. ATT&CK also links Maze usage to FIN6 and FIN7, so threat intelligence teams should use that context carefully for prioritization without assuming current targeting.
Technical view
ATT&CK provides no official detection text for Maze, so defenders should validate coverage through the related techniques. On Windows, prioritize detections for WMI and command-shell execution, scheduled tasks, registry run keys/startup folder persistence, masqueraded tasks or services, DLL injection indicators, msiexec proxy execution, process/system/network discovery, service stops, recovery inhibition, shutdown or reboot activity, web-protocol command-and-control, dynamic resolution, and high-volume file encryption behavior. Because Maze is described as stealing information before encryption, IR playbooks should include evidence preservation and data-exfiltration assessment, not only host restoration.
Likely telemetry
- Windows process creation and command-line telemetry
- WMI activity logs and remote/local WMI execution evidence
- Scheduled task creation, modification, and execution events
- Windows Registry changes for Run keys and startup locations
- Service creation, stop, disable, and suspicious service naming events
Detection direction
- Build behavior-based correlation rather than relying only on static malware signatures, because ATT&CK associates Maze with obfuscation and junk code insertion.
- Correlate discovery followed by persistence, service manipulation, recovery inhibition, and encryption-like file activity to reduce false positives from normal administration.
- Tune WMI, scheduled task, msiexec, command shell, and service-control analytics against known administrative tooling and maintenance windows.
- Validate whether endpoint visibility can see activity inside or related to virtual instances, since ATT&CK associates Maze with running a virtual instance for stealth.
- Monitor for recovery-inhibition behaviors as high-priority precursors to ransomware impact.
Mitigation priorities
- Prioritize tested, isolated, and recoverable backups, including controls that prevent routine administrative credentials from deleting recovery options.
- Harden Windows administrative pathways: restrict unnecessary WMI, command shell, scheduled task, service-control, registry autorun, and msiexec abuse where operationally feasible.
- Apply least privilege and administrative separation so persistence, service stopping, recovery inhibition, and broad file encryption require elevated access that is monitored and controlled.
- Maintain endpoint logging and response capability sufficient to preserve process, registry, service, module, file, and network evidence during a ransomware investigation.
- Prepare an extortion-aware incident response plan covering containment, restoration, legal/compliance notification analysis, and data exposure assessment.
Analyst notes and limits
The supplied ATT&CK object identifies Maze as Windows ransomware discovered in May 2019, previously known as ChaCha, with reported encryption for impact and information stealing used for extortion. Relationship context provides the main defensive value: it maps Maze to execution, persistence, privilege-escalation, stealth, discovery, command-and-control, and impact techniques, and to use by FIN6 and FIN7.
Official ATT&CK detection guidance is not provided, and the object has no explicit tactic list. Some related technique descriptions include non-Windows platforms, but the Maze object platform supplied here is Windows. This summary does not establish current exploitation, victim exposure, or attribution in any environment; local telemetry and incident evidence are required.
Maze
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1486 | Data Encrypted for Impact | |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.CitationMcAfee Maze March 2020 |
| Enterprise | T1082 | System Information Discovery | Maze has checked the language of the infected system using the "GetUSerDefaultUILanguage" function.CitationMcAfee Maze March 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Maze has created a file named "startup_vrun.bat" in the Startup folder of a virtual machine to establish persistence.CitationSophos Maze VM September 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Maze operators have created scheduled tasks masquerading as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update" designed to launch the ransomware.CitationSophos Maze VM September 2020 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Maze has checked the language of the machine with function |
| Enterprise | T1049 | System Network Connections Discovery | Maze has used the "WNetOpenEnumW", "WNetEnumResourceW”, “WNetCloseEnum” and “WNetAddConnection2W” functions to enumerate the network resources on the infected machine.CitationMcAfee Maze March 2020 |
| Enterprise | T1564.006 | Run Virtual Instance Sub-technique | Maze operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine's configuration file mapped the shared network drives of the target company, presumably so Maze can encrypt files on the shared drives as well as the local machine.CitationSophos Maze VM September 2020 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Maze has injected the malware DLL into a target process.CitationMcAfee Maze March 2020CitationSophos Maze VM September 2020 |
| Enterprise | T1529 | System Shutdown/Reboot | Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.CitationSophos Maze VM September 2020 |
| Enterprise | T1568 | Dynamic Resolution | Maze has forged POST strings with a random choice from a list of possibilities including "forum", "php", "view", etc. while making connection with the C2, hindering detection efforts.CitationMcAfee Maze March 2020 |
| Enterprise | T1106 | Native API | Maze has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.CitationMcAfee Maze March 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Maze has communicated to hard-coded IP addresses via HTTP.CitationMcAfee Maze March 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | The Maze encryption process has used batch scripts with various commands.CitationFireEye Maze May 2020CitationSophos Maze VM September 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1685 | Disable or Modify Tools | Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.CitationMcAfee Maze March 2020 It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.CitationSophos Maze VM September 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network.CitationMcAfee Maze March 2020CitationSophos Maze VM September 2020 |
| Enterprise | T1057 | Process Discovery | Maze has gathered all of the running system processes.CitationMcAfee Maze March 2020 |
| Enterprise | T1070 | Indicator Removal | Maze has used the “Wow64RevertWow64FsRedirection” function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.CitationMcAfee Maze March 2020 |
| Enterprise | T1489 | Service Stop | Maze has stopped SQL services to ensure it can encrypt any database.CitationSophos Maze VM September 2020 |
| Enterprise | T1027 | Obfuscated Files or Information | |
| Enterprise | T1218.007 | Msiexec Sub-technique | Maze has delivered components for its ransomware attacks using MSI files, some of which have been executed from the command-line using |
| Enterprise | T1490 | Inhibit System Recovery | Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.CitationMcAfee Maze March 2020CitationSophos Maze VM September 2020 |
Groups, software, and campaigns
G0037: FIN6
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | a09fb6c2b22d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye Maze May 2020
Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
Open source URL -
[2]
McAfee Maze March 2020
Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
Open source URL -
[3]
Sophos Maze VM September 2020
Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
Open source URL -
[4]
mitre-attack S0449Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.