In late 2019 and early 2020 Maze Ransomware started its surge in attacks, but what is Maze ransomware, and how do they attack exactly?
Maze Ransomware is a fairly recent concept in that it is an evolution of the “ChaCha” ransomware, but will also exfiltrate the data as well as encrypting it. By exfiltrating the data, the Maze Ransomware operators perform a double pronged attack pressuring the victim to pay otherwise their data will not only be inaccessible to them, but will be made public.
Data being made public can be a companies worst nightmare, this can be just as damaging as having data encrypted and helps pursued the ransomware victim to pay the Maze ransomware group rather than face the dire consequences.
So how does this all happen?
Maze is sticking to the tried and tested methods of distributing their ransomware with the majority of attacks being traced back to file attachments (word/excel) via email spam.
According to Securelist.com the ransomware was initially distributed using the exploit kits: Fallout EK and Spelevo EK, to infect victims. These malvertising exploit kits focused on vulnerabilities in Internet Explorer and Flash to deploy its ransomware onto users devices.
Once on your devices, Maze encrypts all folders with the exception of some system critical folders such as:
• Program Files
It then leaves a file in each folder called ‘DECRYPT-FILES.txt’ detailing how to decrypt the folder and the website to visit.
Now what is probably surprising to people is that the Maze Ransomware operators are actually very sophisticated and their website proves this. On the website, users are given a timer – a countdown till the price to un-encrypt their files doubles, there’s also a chat window where users can converse with the operators.
The website lets users un-encrypt 3 test files, to prove that it can be done, and has detailed guides and ways that victims can pay for bitcoin in order to pay the ransom; theres also a section of the website which blogs and details victims which had refused to pay the ransoms, along with partial releases of the information they have collected.
This was a new method before Maze started using this material to blackmail and force victims to pay, essentially making their ruthless business model more lucrative.
SHA 256 hashes for Maze Ransomware: