I. Targeted Industries
- General Businesses
- Government Agencies
- Higher Education
Maze Ransomware, also known as ChaCha Ransomware, was discovered on May 29, 2019, wreaking havoc on businesses. Maze is part of a new ransomware strain that steals and encrypts data and then demands ransom. The attackers threaten to release the information on the internet unless the ransom is paid. Unfortunately, even if an organization backs up their data, they still have to deal with the potential public leak. These attackers have a website that reveals their uncooperative victims and samples of their stolen data.
III. Background Information
The Maze Ransomware hacking group began their invasion using exploit kits, such as Fallout and Spelvo. The Maze hacking group uses phishing emails that mimic government agencies alongside weak remote desktop credentials. Once the attackers have gained entrance, they will start lateral movement through the network through obfuscation techniques programmed into their code. This allows them to continue to steal credentials and files while they strive to gain administrative control. Data is also exfiltrated to the attackers’ servers, where it is held for ransom before encryption. Victims could face data breaches if they do not cooperate. This differentiates Maze from simpler forms of ransomware attacks as there is the threat of both losing important data and having that data sold on the dark web.
Maze ransomware is also written by highly skilled developers, using complex code. According to McAfee, this malware is hard-programmed to prevent reverse engineering of its codes, which makes static analysis by security researchers more difficult. The code contains a hashed list of various process names that Maze will terminate, including behavioral analysis tools. Processes are also terminated to allow successful encryption.
After Maze has encrypted the files, it creates a ransom note in a root folder on the infected machine to inform the user of the ransomware installed, and then starts looking for folders and files to encrypt. This note gives instructions to a website where you can go to figure out the ransom amount and how to pay. The amount is dependent on the number and type of systems encrypted, and they state they have enough information to determine the role of the infected system.
For an in-depth analysis of the Maze malware, see recommended article: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/#_ftnref2
Protection against Ransomware
- Closely Monitor Remote Access Infrastructure
Unusual activity in event logs should be investigated immediately. Ensure there is a password reset for all accounts in case of compromise.
- Turn on Attack Surface Reduction Rules
Include rules that block credential theft and ransomware activity.
- Turn off RDP
RDP should be shut off if not being used.
- Patch Updates
Update consistently and patch vulnerabilities.
- Scheduled Backups
Backup data regularly and store externally.
Implement password management processes.
Further information on dealing with ransomware can be found at: https://www.us-cert.gov/Ransomware
V. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
Ahaskar, Abhijit. “Why Organisations Should Be Wary of Maze Ransomware?” Livemint. Livemint, April 20, 2020. https://www.livemint.com/news/india/why-organisations-should-be-wary- maze-ransomware-11587373713276.html
BluVector. “Maze Ransomware Ups the Stakes in Data Exfiltration Release.” Home, April 21, 2020. https://www.bluvector.io/threat-report-maze-ransomware/.
Nichols, Shaun. “Bad News: Cognizant Hit by Ransomware Gang. Worse: It’s Maze, Which Leaks Victims’ Data Online after Non-Payment.” The Register. The Register, April 21, 2020. https://www.theregister.co.uk/2020/04/21/cognizant_maze_malware/.
Novinson, Michael. “Cognizant Breach: 10 Things To Know About Maze Ransomware Attacks.” CRN, April 20, 2020. https://www.crn.com/slide-shows/security/cognizant-breach-10-things-to-know-about-maze-ransomware-attacks.
O’Donnell, Lindsey. “Maze Ransomware Attack Hits Cognizant.” Threatpost English Global threatpostcom, April 20, 2020. https://threatpost.com/maze-ransomware-cognizant/154957/.
“Ransomware Maze.” McAfee Blogs, March 26, 2020. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/#_ftnre