Maze is a file encrypting virus and also a successor to ChaCha


It uses a sophisticated RSA and ChaCha20 cipher to lock up data, and appends a string of random 4-7 characters at the end of each file, also using a marker within its structure –0x66116166.



Maze is known to be distributed via the help of fake Abra site that hosts the Mobile Bitcoin Wallet app under the same name. Visitors who want to download the application will end up being redirected to a Fallout exploit kit, which, under certain conditions, will implant malware's payload without users' interaction whatsoever.


After encrypting files, Maze virus will drop a ransom note DECRYPT-FILES.html asks victims to pay a ransom in BTC and contact bad actors via Additionally, the malware will also alter the background on the desktop, displaying another message from hackers. The latest variant of Maze shows a different wallpaper based on computer type (for example, home computer, backup server, server in corporate network, primary domain controller, etc.), which essentially changes the decryptor price.

While Maze was spotted being distributed with the help of Fallout Exploit kit, it does not mean that hackers do not employ other tactics, such as:

  • Spam emails;
  • Unprotected RDP;
  • Fake updates;
  • Pirated software and its cracks;
  • Torrent sites;
  • Web injects, etc.

Once the payload of Maze is populated, it will contact 2 domains and 15 hosts, alter Windows registry, delete Shadow volume snapshots to complicate the recovery process, and perform other malicious tasks required for its operation.

After establishing itself and locking the files, Maze will display the following note: 

Attention! Your documents, photos, databases, and other important files have been encrypted!

The only way to decrypt your files, is to buy the private key from us.
You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.
In order to receive the private key contact us via email:
Remember to hurry up, as your email address may not be avaliable for very long.
Buying the key immediatly will guarantee that 100% of your files will be restored.
Below you will see a big base64 blob, you will need to email us and copy this blob to us.
you can click on it, and it will be copied into the clipboard.
If you have troubles copying it, just send us the file you are currently reading, as an attachment.

At the bottom of the note, victims can locate a Base64 string that includes such information and user's login name, Windows version, other technical data, and a private key. All this information is allegedly required for cybercriminals in order to decrypt files locked by Maze ransomware.

Community content is available under CC-BY-SA unless otherwise noted.