The recent spread of ransomware has kickstarted many companies into reevaluating their current cybersecurity maturity. It has come to be generally accepted that appropriate investment in offline backups will render most ransomware attacks ineffective. The victim may still spend time and money investigating how the infection started, if and what data was exfiltrated, and how to prevent a future incident, but in the end, access to the data is not lost.
Criminals have realized that for their malware campaigns to remain effective in today's cyber landscape, they must constantly evolve their tactics and techniques. New techniques include a data exfiltration step as part of the ransomware infection. If the ransom is not paid, the attackers threaten to release the victim’s data onto the public internet. While variants of ransomware have made these threats in the past, a new ransomware known as Maze has become the first to actually publish data from alleged victims.
The Origins of Maze
The Fallout exploit kit first appeared for sale in September 2018, with a good deal of interest from the cyber crime community. An exploit kit is a way to automatically and silently exploit a victim's computer, and is often placed within a compromised website. When a user visits the site, the kit scans for any vulnerable browser-based applications that it can exploit. If the system is patched, it may attempt a social engineering attack on the user. Maze infected its first victim in October of 2019, having been spread by the Fallout exploit kit, hacked RDP connections, and phishing campaigns impersonating government employees.
The original Fallout Exploit Kit thread. There were over 125 replies of interested buyers.
How Maze Works
After gaining access to the machine, the attackers export any data they want and drop the ransomware portable executable on the computer. Following data exfiltration, the ransomware executable first deletes any backups that are stored on the computer and then encrypts all files with the ChaCha algorithm. Finally, it re-encrypts the ChaCha keys with RSA-2048, and appends each file with a random extension. A simple text file named “DECRYPT-FILES.txt” providing instructions for contacting the Maze organization is placed in each of the directories. This sequence of operations renders the data impossible to decrypt without paying the attacker.
Minutes after the portable executable runs, the user’s desktop background is changed with an explanation of what happened.
The ransom note that is dropped in all the user directories.
Each user is given a url with a unique path that corresponds to the victim. The website contains five different tabs.
A live chat to negotiate with the criminals.
The site allows for three image files to be decrypted.
Exchanges where the victim can purchase bitcoins.
Links to news articles about the ransomware.
Impact of Maze
Maze is unique in following through with the public announcement of companies that have not paid the ransom. As of Janurary 27, more than twenty five companies have been named as not paying. The operators of Maze have also listed the date the ransomware attack occured, IPs/names of the locked computers, and several files for proof such as revenue statements, account balances, service agreements, etc. None of the ten companies have made a public statement declaring a breach.
The Maze shaming website.
Schneider Downs recommends that all organizations doing business with any of the listed companies perform a risk assessment to determine if the breach could impact their own operations.
A proof file containing a list of deposits.
Nondisclosure of a data breach involving personally identifiable information (PII) can result in lawsuits, fines, and even jail time for American companies and their Boards. For countries that fall under GDPR, fines can exceed 20 million Euros. Although pay the ransom may reduce the likelihood of Maze releasing stolen data publicly, most privacy regulations still require organizations disclose the breach of PII by a criminal organization. There is currently no indication that Maze has stolen PII from any of its alleged victims.
Detecting Maze
The following indicators of compromise (IOCs) can be used to detect activity related to the precense of Maze malware.
The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We’re an authorized reseller of both Mimecast® and Carbon Black and offer comprehensive Digital Forensics and Incident Response services. For more information, visit www.schneiderdowns.com/cybersecurity or contact us at [email protected].
Share
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.
This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.