Life of Maze ransomware | Securelist


Prior to now 12 months, Maze ransomware has turn into one of the crucial infamous malware households threatening companies and enormous organizations. Dozens of organizations have fallen sufferer to this vile malware, together with LG, Southwire, and the Metropolis of Pensacola.

The historical past of this ransomware started within the first half of 2019, and again then it didn’t have any distinct branding – the ransom word included the title “0010 System Failure 0010”, and it was referenced by researchers merely as ‘ChaCha ransomware’.

Ransom word of an early model of Maze/ChaCha ransomware

Shortly afterwards, new variations of this Trojan began calling themselves Maze and utilizing a relevantly named web site for the victims as a substitute of the generic e-mail tackle proven within the screenshot above.

Web site utilized by a latest model of Maze ransomware

An infection situations

Mass campaigns

The distribution tactic of the Maze ransomware initially concerned infections through exploit kits (particularly, Fallout EK and Spelevo EK), in addition to through spam with malicious attachments. Beneath is an instance of certainly one of these malicious spam messages containing an MS Phrase doc with a macro that’s supposed to obtain the Maze ransomware payload.

If the recipient opens the hooked up doc, they are going to be prompted to allow modifying mode after which allow the content material In the event that they fall for it, the malicious macro contained contained in the doc will execute, which in flip will outcome within the sufferer’s PC being contaminated with Maze ransomware.

Tailor-made strategy

Along with these typical an infection vectors, the menace actors behind Maze ransomware began focusing on firms and municipal organizations with a purpose to maximize the amount of cash extorted.

The preliminary compromise mechanism and subsequent techniques differ. Some incidents concerned spear-phishing campaigns that put in Cobalt Strike RAT, whereas in different circumstances the community breach was the results of exploiting a weak internet-facing service (e.g. Citrix ADC/Netscaler or Pulse Safe VPN). Weak RDP credentials on machines accessible from the web additionally pose a menace because the operators of Maze might use this flaw as effectively.

Privilege escalation, reconnaissance and lateral motion techniques additionally are inclined to differ from case to case. Throughout these levels, using the next instruments has been noticed: mimikatz, procdump, Cobalt Strike, Superior IP Scanner, Bloodhound, PowerSploit, and others.

Throughout these intermediate levels, the menace actors try to determine worthwhile information saved on the servers and workstations within the compromised community. They’ll then exfiltrate the sufferer’s confidential information with a purpose to leverage them when negotiating the scale of the ransom.

On the ultimate stage of the intrusion, the malicious operators will set up the Maze ransomware executable onto all of the machines they will entry. This leads to the encryption of the sufferer’s worthwhile information and finalizes the assault.

Knowledge leaks/doxing

Maze ransomware was one of many first ransomware households that threatened to leak the victims’ confidential information in the event that they refused to cooperate.

In reality, this made Maze one thing of a trendsetter as a result of this strategy turned out to be so profitable for the criminals that it’s now turn into normal for a number of infamous ransomware gangs, together with REvil/Sodinokibi, DoppelPaymer, JSWorm/Nemty/Nefilim, RagnarLocker, and Snatch.

The authors of the Maze ransomware keep a Web site the place they record their latest victims and publish a partial or a full dump of the paperwork they’ve managed to exfiltrate following a community compromise.

Web site with leaked information printed by Maze operators

Ransomware cartel

In June 2020, the criminals behind Maze teamed up with two different menace actor teams, LockBit and RagnarLocker, primarily forming a ‘ransomware cartel’. The information stolen by these teams now will get printed on the weblog maintained by the Maze operators.

It wasn’t simply the internet hosting of exfiltrated paperwork the place the criminals pooled their efforts – apparently they’re additionally sharing their experience. Maze now makes use of execution strategies that have been beforehand solely utilized by RagnarLocker.

Temporary technical overview

The Maze ransomware is often distributed as a PE binary (EXE or DLL relying on the precise state of affairs) which is developed in C/C++ and obfuscated by a customized protector. It employs numerous methods to hinder static evaluation, together with dynamic API perform imports, management stream obfuscation utilizing conditional jumps, changing RET with JMP dword ptr [esp-4], changing CALL with PUSH + JMP, and several other different strategies.

To counter dynamic evaluation, this Trojan will even terminate processes usually utilized by researchers, e.g. procmon, procexp, ida, x32dbg, and many others.

The cryptographic scheme utilized by Maze consists of a number of ranges:

  • To encrypt the content material of the sufferer’s information, the Trojan securely generates distinctive keys and nonce values to make use of with the ChaCha stream cipher;
  • The ChaCha keys and nonce values are encrypted by a session public RSA-2048 key which is generated when the malware is launched;
  • The session personal RSA-2048 key’s encrypted by the grasp public RSA-2048 key hardcoded within the Trojan’s physique.

This scheme is a variation of a roughly typical strategy utilized by builders of contemporary ransomware. It permits the operators to maintain their grasp personal RSA key secret when promoting decryptors for every particular person sufferer, and it additionally ensures {that a} decryptor bought by one sufferer gained’t assist others.

When executing on a machine, Maze ransomware will even try to find out what sort of PC it has contaminated. It tries to differentiate between various kinds of system (‘backup server’, ‘area controller’, ‘standalone server’, and many others.). Utilizing this info within the ransom word, the Trojan goals to additional scare the victims into pondering that the criminals know all the pieces in regards to the affected community.

Strings that Maze makes use of to generate the ransom word

Fragment of the process that generates the ransom word

keep away from and stop

Ransomware is evolving day-to-day, that means a reactive strategy to keep away from and stop an infection shouldn’t be worthwhile. The very best protection in opposition to ransomware is proactive prevention as a result of typically it’s too late to get better information as soon as they’ve been encrypted.

There are a variety of suggestions that will assist forestall assaults like these:

  1. Hold your OS and functions patched and updated.
  2. Practice all staff on cybersecurity greatest practices.
  3. Solely use safe know-how for distant connection in an organization native community.
  4. Use endpoint safety with conduct detection and computerized file rollback, such asKaspersky Endpoint Safety for Enterprise.
  5. Use the newest menace intelligence info to detect an assault shortly, perceive what countermeasures are helpful, and stop it from spreading.


Kaspersky merchandise shield in opposition to this ransomware, detecting it as Trojan-Ransom.Win32.Maze; it’s blocked by Habits-based Safety as PDM:Trojan.Win32.Generic.

We safeguard our prospects with the very best Ransomware Safety applied sciences.

TIP Cloud Sandbox report abstract and execution map with mapping on MITRE ATT&CK Framework



maze ransomware group website,ta2101,who is behind maze ransomware,maze crew,maze ransomware cert,maze malware hash,how does maze ransomware spread,maze ransomware mcafee,maze ransomware victims,maze ransomware cognizant,first computer virus,maze ransomware iocs,snake ransomware mcafee,mcafee what is ransomware,clop ransomware ioc,ransomware threat,maze ransomware symantec endpoint protection,maze ransomware website,maze ransomware ioc,mdlab maze ransomware,maze ransomware analysis,fbi maze ransomware,maze ransomware ta2101,maze ransomware public website

You May Also Like