S0449: Maze

Maze is a Windows ransomware family associated in ATT&CK with both file encryption and pre-encryption information theft used for extortion. For leaders, the important point is not only workstation or server downtime; it is the combined business risk of operational disruption, data exposure, recovery pressure, and public disclosure risk.

Executive priority

Treat this as a resilience and incident-readiness scenario: can the organization detect suspicious execution, discovery, persistence, recovery inhibition, and encryption activity before business processes are interrupted? Executives should validate backup recoverability, data-theft response procedures, legal/compliance escalation paths, and whether SOC coverage includes the Windows behaviors ATT&CK associates with Maze. ATT&CK also links Maze usage to FIN6 and FIN7, so threat intelligence teams should use that context carefully for prioritization without assuming current targeting.

Technical view

ATT&CK provides no official detection text for Maze, so defenders should validate coverage through the related techniques. On Windows, prioritize detections for WMI and command-shell execution, scheduled tasks, registry run keys/startup folder persistence, masqueraded tasks or services, DLL injection indicators, msiexec proxy execution, process/system/network discovery, service stops, recovery inhibition, shutdown or reboot activity, web-protocol command-and-control, dynamic resolution, and high-volume file encryption behavior. Because Maze is described as stealing information before encryption, IR playbooks should include evidence preservation and data-exfiltration assessment, not only host restoration.

Likely telemetry

Windows process creation and command-line telemetry
WMI activity logs and remote/local WMI execution evidence
Scheduled task creation, modification, and execution events
Windows Registry changes for Run keys and startup locations
Service creation, stop, disable, and suspicious service naming events

Detection direction

Build behavior-based correlation rather than relying only on static malware signatures, because ATT&CK associates Maze with obfuscation and junk code insertion.
Correlate discovery followed by persistence, service manipulation, recovery inhibition, and encryption-like file activity to reduce false positives from normal administration.
Tune WMI, scheduled task, msiexec, command shell, and service-control analytics against known administrative tooling and maintenance windows.
Validate whether endpoint visibility can see activity inside or related to virtual instances, since ATT&CK associates Maze with running a virtual instance for stealth.
Monitor for recovery-inhibition behaviors as high-priority precursors to ransomware impact.

Mitigation priorities

Prioritize tested, isolated, and recoverable backups, including controls that prevent routine administrative credentials from deleting recovery options.
Harden Windows administrative pathways: restrict unnecessary WMI, command shell, scheduled task, service-control, registry autorun, and msiexec abuse where operationally feasible.
Apply least privilege and administrative separation so persistence, service stopping, recovery inhibition, and broad file encryption require elevated access that is monitored and controlled.
Maintain endpoint logging and response capability sufficient to preserve process, registry, service, module, file, and network evidence during a ransomware investigation.
Prepare an extortion-aware incident response plan covering containment, restoration, legal/compliance notification analysis, and data exposure assessment.

Analyst notes and limits

The supplied ATT&CK object identifies Maze as Windows ransomware discovered in May 2019, previously known as ChaCha, with reported encryption for impact and information stealing used for extortion. Relationship context provides the main defensive value: it maps Maze to execution, persistence, privilege-escalation, stealth, discovery, command-and-control, and impact techniques, and to use by FIN6 and FIN7.

Official ATT&CK detection guidance is not provided, and the object has no explicit tactic list. Some related technique descriptions include non-Windows platforms, but the Maze object platform supplied here is Windows. This summary does not establish current exploitation, victim exposure, or attribution in any environment; local telemetry and incident evidence are required.

Official MITRE ATT&CK definition

Maze

Maze ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, Maze operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 23 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1486	Data Encrypted for Impact	Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.[1]
Enterprise	T1027.016	Junk Code Insertion Sub-technique	Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.[2]
Enterprise	T1082	System Information Discovery	Maze has checked the language of the infected system using the "GetUSerDefaultUILanguage" function.[2]
Enterprise	T1547.001	Registry Run Keys / Startup Folder Sub-technique	Maze has created a file named "startup_vrun.bat" in the Startup folder of a virtual machine to establish persistence.[3]
Enterprise	T1036.004	Masquerade Task or Service Sub-technique	Maze operators have created scheduled tasks masquerading as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update" designed to launch the ransomware.[3]
Enterprise	T1614.001	System Language Discovery Sub-technique	Maze has checked the language of the machine with function `GetUserDefaultUILanguage` and terminated execution if the language matches with an entry in the predefined list.[2]
Enterprise	T1049	System Network Connections Discovery	Maze has used the "WNetOpenEnumW", "WNetEnumResourceW”, “WNetCloseEnum” and “WNetAddConnection2W” functions to enumerate the network resources on the infected machine.[2]
Enterprise	T1564.006	Run Virtual Instance Sub-technique	Maze operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine's configuration file mapped the shared network drives of the target company, presumably so Maze can encrypt files on the shared drives as well as the local machine.[3]
Enterprise	T1055.001	Dynamic-link Library Injection Sub-technique	Maze has injected the malware DLL into a target process.[2][3]
Enterprise	T1529	System Shutdown/Reboot	Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.[3]
Enterprise	T1568	Dynamic Resolution	Maze has forged POST strings with a random choice from a list of possibilities including "forum", "php", "view", etc. while making connection with the C2, hindering detection efforts.[2]
Enterprise	T1106	Native API	Maze has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.[2]
Enterprise	T1071.001	Web Protocols Sub-technique	Maze has communicated to hard-coded IP addresses via HTTP.[2]
Enterprise	T1059.003	Windows Command Shell Sub-technique	The Maze encryption process has used batch scripts with various commands.[1][3]
Enterprise	T1053.005	Scheduled Task Sub-technique	Maze has created scheduled tasks using name variants such as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update", to launch Maze at a specific time.[3]
Enterprise	T1685	Disable or Modify Tools	Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.[2] It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.[3]
Enterprise	T1047	Windows Management Instrumentation	Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network.[2][3]
Enterprise	T1057	Process Discovery	Maze has gathered all of the running system processes.[2]
Enterprise	T1070	Indicator Removal	Maze has used the “Wow64RevertWow64FsRedirection” function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.[2]
Enterprise	T1489	Service Stop	Maze has stopped SQL services to ensure it can encrypt any database.[3]
Enterprise	T1027	Obfuscated Files or Information	Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis.[2]
Enterprise	T1218.007	Msiexec Sub-technique	Maze has delivered components for its ransomware attacks using MSI files, some of which have been executed from the command-line using `msiexec`.[3]
Enterprise	T1490	Inhibit System Recovery	Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.[2][3]

Associated objects

Groups, software, and campaigns

G0037: FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[1][2]

G0046: FIN7

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: May 18, 2020, 16:17 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:44 UTC (UTC+00:00)
Raw hash: a09fb6c2b22deb20...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.2	Apr 25, 2025, 14:44 UTC (UTC+00:00)	Current bundle	`a09fb6c2b22d…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
FireEye Maze May 2020

Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
Open source URL
[2]
McAfee Maze March 2020

Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
Open source URL
[3]
Sophos Maze VM September 2020

Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
Open source URL
[4]
mitre-attack S0449
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams