What is Maze Ransomware?
This Windows ransomware has targeted many organizations worldwide
The Maze ransomware has targeted organizations globally and across many industries. Jerome Segura, a malware intelligence analyst at Malwarebytes, discovered the ransomware — Previously known as ChaCha — in May 2019.
It was originally disseminated directly via exploit kits and spam campaigns through the later part of 2019. Maze was distributed to users in Italy on October 29, 2019 through emails impersonating the Italian Revenue Agency, according to a Proofpoint report.
It is a 32-bit binary file, usually appearing as a .exe or .dll file. It is quite sophisticated and uses many obfuscation techniques to help it avoid security techniques and anti-malware researchers.
As with almost all ransomware, Maze’s goal is to encrypt files on a victim’s system and then demand a ransom to recover that data. However, an interesting feature of Maze is that the cyber criminals behind the ransomware threaten to expose the victim’s data online if they do not pay up.
Other ransomware, such as Sodinokibi, Nemty, Clop, and more, have since copied tis approach. While having backups protects your organization from grinding to a halt, this doesn’t mitigate against criminals having a copy of your data.
It also creates backdoors to enable hackers behind the ransomware to have ongoing access to the system.
Sometimes, Maze is preceded by installing tools such as Cobalt Strike, sent as an encoded payload. This acts as a beacon to carry out post-exploitation actions.
How does the Maze ransomware spread?
Maze ransomware enters a victim’s machine via a phishing email, typically a spear-phishing email. This email comes with a malicious attachment, such as a macro-enabled Microsoft Word document or password-protected zip file.
The emails sent to victims had “Missed package delivery” and “Your AT&T wireless bill is ready to view” at the subject line. The document carries an innocent title like “Quarterly Report” or “Confidential Data Set.” The documents’ malicious macros download exploit kits, such as Fallout and Spelevo.
Once the victim has opened the phishing email, it begins propagating in a victim’s system. At the same time, it also spreads laterally throughout the network, attempting to gain higher privileges to infect more systems. It looks for vulnerabilities in the network and across Active Directory sites. The tools used in these stages include mimikatz, procdump, Cobalt Strike, Advanced IP Scanner, Bloodhound, PowerSploit, and others. It also carries out internal survey to find more susceptible or misconfigured systems, which run either RDP or file-sharing services.
It is at these stages that hackers attempt to find and extract valuable data stored on the servers and workstations in the compromised network. They use these extracted files as leverage when negotiating ransom payments.
While this is happening, the ransomware begins encrypting files on the local machine and cloud storage. The data is encrypted using ChaCha20 and RSA algorithms.
When running, Maze tries to figure out what kind of device it has infected, such as a backup server, domain controller, standalone server, and so on. It uses this information in its ransom note and panic victims into thinking the hackers know everything about their network.
It is at this point that Maze makes itself known by posting a ransomware demand on infected machines. This also spells out the hacker's demands and methods of payment, which are usually in some form of cryptocurrency.
How does the Maze ransomware evade detection and analysis?
Maze ransomware has some features that prevent reverse engineering and static analysis. There are also features to help it evade common security techniques.
It uses dynamic API function imports, control flow obfuscation using conditional jumps, replacing RET with JMP dword ptr [esp-4], replacing CALL with PUSH + JMP, and several other techniques to hinder static analysis.
How to reduce the risk of phishing and ransomware
Top security concerns and tips for mitigationDownload now
To thwart dynamic analysis, this Trojan will also terminate processes researchers normally use, such as procmon, procexp, ida, x32dbg, and others.
In September 2020, Maze adopted Ragnar Locker virtual machine technique to get around endpoint protection, according to Sophos. The ransomware payload was hidden inside an Oracle VirtualBox virtual machine to prevent detection.
Who has been hit by the Maze Ransomware?
Maze ransomware has hit hundreds of victims, these organizations have been primarily based in North America, although victims covered almost every part of the world.
The hackers behind Maze claimed responsibility for encrypting data from Pensacola, Florida and demanded a $1 million ransom for a decryptor, according to Forbes.
Other victims have had their data posted by the gang on the internet and at the time threatened to dump all the data it had stolen from victims who did not pay up the ransom.
In May 2021, a report by ThreatLabZ, ZScaler's research team found that Maze ransomware accounted for 273 attacks in 2020. It outpaced the Conti ransomware, which took second place with 190 attacks.
How is the Maze ransomware group structured?
The Maze ransomware gang operated both directly (it infected organizations and sent ransom demands) and work as an affiliate arrangement that allowed independent hackers to use it for a share of the profits.
In June 2020, Maze partnered with LockBit and RagnarLocker to form a ransomware cartel. These groups publish data stolen in attacks on a blog operated by the Maze gang. Later, Conti and SunCrypt also joined the cartel.
According to Analyst1, The gangs making up the cartel originate from eastern Europe and primarily speak Russian, based on posts made to underground criminal forums. There are checks in the software to ensure that the payload does not execute on Russian victims.
Has the Maze ransomware shut down?
In November 2020, the Maze ransomware group made a rather blabbering statement replete with spelling errors that it was “officially closed.”
“We never had partners or official successors. Our specialists do not works with any other software. Nobody and never will be able to host new partners at our news website. The Maze cartel was never exists and is not existing now. It can be found only inside the heads of the journalists who wrote about it [sic],” a press statement read.
But as Maze closes, others take its place. According to a Sophos report in December 2020, Egregor emerged as Maze shut down and also uses data stolen from victims to extort money and uses the same ChaCha and RSA encryption algorithms to encrypt victims’ files. However, Egregor’s code derives from a ransomware family known as Sekhmet, which some believe to be virtually the same code as Maze.
According to Bleeping Computer, many Maze affiliates have now switched over to distributing Egregor.
What precautions can you take to prevent a ransomware attack?
One of the best ways to protect individual and organization data from ransomware attacks such as Maze is to avoid phishing attacks. This means not clicking on links in emails from unknown senders or open attachments.
These emails should then be reported to IT teams within an organization or law enforcement. Users should also not sensitive information in pop-ups or non-organizational websites.
Organizations should also keep OS and applications patched and up to date. Macros in Office applications should also be disabled. Organizations should also train all employees on cyber security best practices.