What is Maze ransomware?
This Windows ransomware has targeted many organisations worldwide
Maze ransomware is a file-encrypting malware that has targeted a number of organisations across industries on a global scale, after first being discovered in May 2019 by a malware intelligence analyst at Malwarebytes.
In the majority of cases, the malware gained access to the organisation’s sensitive information through the use of phishing emails with a zipped attachment, usually resembling an .exe file or similar, and named as something important and seemingly innocent i.e. ‘Quarterly Report’.
A lot of the time, security systems found it difficult to detect the malware using this method, either because of not having a password to open the file, but also because zipped files aren’t usually scanned.
Once inside, the Maze ransomware scans for ways to access additional drives to achieve its goal, i.e. to steal data and spread encryption files across the network, and then demand a ransom to release them again.
Unlike other ransomware variants, Maze is depicted as particularly dangerous because its creators then threaten to release the stolen data if the ransom payment isn’t met on their own website, listing their victims as “clients” in an action of mockery.
Maze has also been known to team up with other malicious groups, and it has been noted that their method of publishing stolen information - where ransoms haven’t been met - has been copied by others.
And on top of this, once the victim’s system has been accessed, Maze ransomware has maintained access, enabling consistent exploitation, as and when they see the need to.
How does Maze ransomware spread?
Maze ransomware enters the victim’s machine with a spear-phishing email containing a malicious macro-enabled Microsoft Word document or password-protected zip file.
The emails sent to victims had “Missed package delivery” and “Your AT&T wireless bill is ready to view” at the subject line. The document carries an innocent title like “Confidential Data Set.” The documents’ malicious macros download exploit kits, such as Fallout and Spelevo.
Once the victim has opened the phishing email, it begins propagating in a victim’s system. At the same time, it spreads laterally throughout the network, attempting to gain higher privileges to infect more systems. It looks for vulnerabilities in the network and across Active Directory sites. The tools used in these stages include mimikatz, procdump, Cobalt Strike, Advanced IP Scanner, Bloodhound, PowerSploit, and others. It also carries out internal survey to find more susceptible or misconfigured systems, which run either RDP or file-sharing services.
It is at these stages that hackers attempt to find and extract valuable data stored on the servers and workstations in the compromised network. They use these extracted files as leverage when negotiating ransom payments.
While this is happening, the ransomware begins encrypting files on the local machine and cloud storage. The data is encrypted using ChaCha20 and RSA algorithms.
When running, Maze tries to figure out what kind of device it has infected, such as a backup server, domain controller, standalone server, and so on. It uses this information in its ransom note and panic victims into thinking the hackers know everything about their network.
It is at this point that Maze makes itself known by posting a ransomware demand on infected machines. This also spells out the hacker's demands and methods of payment, which are usually in some form of cryptocurrency.
How does Maze ransomware evade detection and analysis?
Maze ransomware has some features that prevent reverse engineering and static analysis. There are also features to help it evade common security techniques.
It uses dynamic API function imports, control flow obfuscation using conditional jumps, replacing RET with JMP dword ptr [esp-4], replacing CALL with PUSH + JMP, and several other techniques to hinder static analysis.
To thwart dynamic analysis, this Trojan will also terminate processes researchers normally use, such as procmon, procexp, ida, x32dbg, and others.
In September 2020, Maze adopted Ragnar Locker virtual machine technique to get around endpoint protection, according to Sophos. The ransomware payload was hidden inside an Oracle VirtualBox virtual machine to prevent detection.
Who has been hit by Maze Ransomware?
Maze ransomware has hit hundreds of victims, these organisations have been primarily based in North America, although victims covered almost every part of the world.
The hackers behind Maze claimed responsibility for encrypting data from Pensacola, Florida and demanded a $1 million ransom for a decryptor, according to Forbes.
Other victims have had their data posted by the gang on the internet and at the time threatened to dump all the data it had stolen from victims who did not pay up the ransom.
In May 2021, a report by ThreatLabZ, ZScaler's research team found that Maze ransomware accounted for 273 attacks in 2020. It outpaced the Conti ransomware, which took second place with 190 attacks.
How is the Maze ransomware group structured?
The Maze ransomware gang operated both directly (it infected organisations and sent ransom demands) and work as an affiliate arrangement that allowed independent hackers to use it for a share of the profits.
In June 2020, Maze partnered with LockBit and RagnarLocker to form a ransomware cartel. These groups publish data stolen in attacks on a blog operated by the Maze gang. Later, Conti and SunCrypt also joined the cartel.
According to Analyst1, The gangs making up the cartel originate from eastern Europe and primarily speak Russian, based on posts made to underground criminal forums. There are checks in the software to ensure that the payload does not execute on Russian victims.
Has Maze ransomware shut down?
In November 2020, the Maze ransomware group made a rather blabbering statement replete with spelling errors that it was “officially closed.”
“We never had partners or official successors. Our specialists do not works with any other software. Nobody and never will be able to host new partners at our news website. The Maze cartel was never exists and is not existing now. It can be found only inside the heads of the journalists who wrote about it [sic],” a press statement read.
But as Maze closes, others take its place. According to a Sophos report in December 2020, Egregor emerged as Maze shut down and also uses data stolen from victims to extort money and uses the same ChaCha and RSA encryption algorithms to encrypt victims’ files. However, Egregor’s code derives from a ransomware family known as Sekhmet, which some believe to be virtually the same code as Maze.
According to Bleeping Computer, many Maze affiliates have now switched over to distributing Egregor.
What precautions can you take to prevent a ransomware attack?
One of the best ways to protect individual and organisation data from ransomware attacks such as Maze is to avoid phishing attacks. This means not clicking on links in emails from unknown senders or open attachments.
These emails should then be reported to IT teams within an organisation or law enforcement. Users should also not sensitive information in pop-ups or non-organisational websites.
Organisations should also keep OS and applications patched and up to date. Macros in Office applications should also be disabled. Organisations should also train all employees on cyber security best practices.
Four strategies for building a hybrid workplace that works
All indications are that the future of work is hybrid, if it's not here alreadyFree webinar
The digital marketer’s guide to contextual insights and trends
How to use contextual intelligence to uncover new insights and inform strategiesFree Download
Ransomware and Microsoft 365 for business
What you need to know about reducing ransomware riskFree Download
Building a modern strategy for analytics and machine learning success
Turning into business valueFree Download