Maze Ransomware

Maze Ransomware

In late 2019 and early 2020 Maze Ransomware started its surge in attacks, but what is Maze ransomware, and how do they attack exactly?

Maze Ransomware is a fairly recent concept in that it is an evolution of the “ChaCha” ransomware, but will also exfiltrate the data as well as encrypting it. By exfiltrating the data, the Maze Ransomware operators perform a double pronged attack pressuring the victim to pay otherwise their data will not only be inaccessible to them, but will be made public.

Data being made public can be a companies worst nightmare, this can be just as damaging as having data encrypted and helps pursued the ransomware victim to pay the Maze ransomware group rather than face the dire consequences.

So how does this all happen?

Maze is sticking to the tried and tested methods of distributing their ransomware with the majority of attacks being traced back to file attachments (word/excel) via email spam.

According to Securelist.com the ransomware was initially distributed using the exploit kits: Fallout EK and Spelevo EK, to infect victims. These malvertising exploit kits focused on vulnerabilities in Internet Explorer and Flash to deploy its ransomware onto users devices.

Once on your devices, Maze encrypts all folders with the exception of some system critical folders such as:

• %windir%
• %programdata%
• Program Files
• %appdata%\local

It then leaves a file in each folder called ‘DECRYPT-FILES.txt’ detailing how to decrypt the folder and the website to visit.

Now what is probably surprising to people is that the Maze Ransomware operators are actually very sophisticated and their website proves this. On the website, users are given a timer – a countdown till the price to un-encrypt their files doubles, there’s also a chat window where users can converse with the operators.

The website lets users un-encrypt 3 test files, to prove that it can be done, and has detailed guides and ways that victims can pay for bitcoin in order to pay the ransom; theres also a section of the website which blogs and details victims which had refused to pay the ransoms, along with partial releases of the information they have collected.

This was a new method before Maze started using this material to blackmail and force victims to pay, essentially making their ruthless business model more lucrative.

SHA 256 hashes for Maze Ransomware:

19aaa6c900a5642941d4ebc309433e783befa4cccd1a5af8c86f6e257bf0a72e

6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13

9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1

b950db9229db2f37a7eb5368308de3aafcea0fd217c614daedb7f334292d801e

References:

https://blog.malwarebytes.com/threat-analysis/2019/01/improved-fallout-ek-comes-back-after-short-hiatus/
https://blog.malwarebytes.com/threat-analysis/2019/12/spelevo-exploit-kit-debuts-new-social-engineering-trick/
https://securelist.com/maze-ransomware/99137/
https://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.