Blog Blog Posts Business Management Process Analysis

What is Maze Ransomware?

We will cover the following topics to learn about Maze Ransomware in detail.

Learn everything there is to know about Cyber Attacks from this video by Intellipaat.

What is Maze Ransomware?

Maze allegedly operates through an affiliated network where the developers share their earnings with several groups that deploy the ransomware across different networks. The major concern with Maze Ransomware is the fact that the Maze operators take advantage of the organizational assets in one network to move over to others laterally.

If the affected organization is an IT services provider, it opens up a whole new box that catalyzes further attacks on the hundreds of customers that rely on these IT services.

Maze Ransomware is a strain of Windows ransomware that demands payment in cryptocurrency in exchange for the safe recovery of encrypted data. If payment is refused by any victim, the criminals leak all their confidential data. Similar behavior is increasingly seen in newer forms of ransomware.

How does Maze Ransomware work?

The distribution of Maze is typically done through spam emails with malicious links or attachments, Remote Desktop Protocol (RDP) brute force attack, or by using an exploit kit. There are cases when the attack comes from an organization’s partners or clients who have themselves fallen victim to hackers.

Once Maze has access to a network, gaining elevated privileges is the next objective so that file encryption can be deployed across all drives. Since Maze also steals data and leaks them to servers that are controlled by hackers, it is even more dangerous as victims can be threatened based on this.

Although it is possible to restore the data from a secure backup provided the backup has not been compromised, it still doesn’t do any good that the attackers now have a copy of the data. Maze can essentially, be considered a combination of a data breach and a ransomware attack.

Let’s review the techniques used by Maze Ransomware:

Initial Access

In most cases, Maze operators use valid credentials to log in to the network with the help of internet-facing servers (either RDP or a Citrix/VPN server). Although how the initial credential was compromised is not known, the standard methodologies include guessing weak passwords or spear-phishing using emails containing malicious macros.

Reconnaissance

Once a machine in a network is compromised by malware, the whole network is scanned for vulnerabilities. It scans the network configuration, open SMB shares, accounts, domain trusts, permissions, and other various Active Directory attributes. The scans are sometimes, done with popular open-source tools like BloodHound,  Adfind, smbtools.exe, PingCastle as well as built-in Windows commands.

Lateral Movement/Credential Access

The malware takes a few days to gain intelligence on the network and then starts moving in the network laterally. The easiest targets are credentials in the compromised machine.

Maze also scans for files that contain plaintext passwords. If these are not accessible, it then moves around the network with the help of LLMNR/NBT-NS Poisoning. This helps steal network packets for NTLM cracking later and/or NTLM relay attacks.

If none of these techniques work, the Maze Ransomware tries brute-forcing user/service accounts to find weak passwords. Once a credential is found to be valid, Windows interfaces like WinRM, SMB, and RDP are used for Maze to move laterally and execute code on remote machines.

Privilege Escalation

Privilege escalation involves the attacker moving laterally to new machines and then again using the same techniques, finding new credentials to compromise and move to other machines. Once domain admin credentials are found, this kind of lateral movement stops. At this point, any machine in the network can be compromised.

Persistence

The malware operator tries to maintain its presence in the network for as long as possible. This is possible by adding various backdoors and passages. This helps retake control of the network in case the malware is detected and removed. Maze mainly captures as many user credentials as possible and creates new privileged accounts in the network.

Learn Cyber Security and Ethical Hacking, and start your journey in Cyber Security.

Maze Ransomware Website

The creators of the Maze Ransomware host a website where they list their victims (or “clients”). This website frequently has published samples of data that is stolen. It includes details of the date that victims were hit by the attack as well as the links to the stolen data and documents that are downloadable as a “trophy”.

Ironically, the website features the slogan “Keeping the world safe” and much provocatively, includes sharing options on social media to share details of the data breaches. If the ransom is not paid, the Maze Ransomware website warns victims that they will:

The Root Cause

Most of the time, these malicious activities are executed using valid user credentials acquired through various means. Maze targets passwords in local drives and sometimes, it compromises accounts that have weak passwords using brute force and credential scanning methods.

Sign up for Intellipaat’s Cyber Security Course and learn from industry experts.

Career Transition

Maze Ransomware Examples

Cognizant Maze Ransomware Attack

One of the most well-known Maze ransomware attacks was the one that targeted Cognizant. This Fortune 500 giant was attacked and services to its customers were disrupted as a result. The attack encrypted and disabled some of its internal systems and forced it to take other systems offline.

The Cognizant attack took place during the Covid-19 pandemic when everyone was working remotely. The malware disrupted computer systems that supported virtual desktop infrastructure making it difficult for the employees to work. The attack deleted Internal directories and email access was lost as well.

In the immediate aftermath of the Maze Ransomware attack on Cognizant, the company lost between US$50,000,000 and US$70,000,000. There were further incurred costs for full restoration of its computer systems.

City of Pensacola Maze Ransomware Attack

Pensacola, Florida was attacked by Maze Ransomware at the end of 2019. The group held the stolen data against a ransom of US$1,000,000. More than 32GB of data was claimed to be stolen from the city’s systems. As proof of the attack, they leaked 2GB of data.

Xerox Maze Ransomware Attack

In July 2020, the operators of Maze Ransomware claimed that they had infiltrated Xerox’s systems. They threatened to leak their data unless the ransom was paid. As proof of the data breach, a series of ten screenshots were posted on their website indicating that they were in possession of data related to customer support operations.

Canon Maze Ransomware Attack

In the August of 2020, Canon had fallen victim to a Maze ransomware attack. Up to 10TB of Canon’s data was exfiltrated, and around 25 different Canon domains and several internal applications were affected, including collaboration services and e-mail.

Become a Cyber Security Expert

Should you pay the ransom?

Paying Ransom

An important question is—should the ransom be paid? It is best not to. Paying the ransom will only encourage more similar attacks in the future. Of course, it is not easy to make the call when sensitive data is involved—not just the organization’s but also clients’ and partners’. Ultimately it is up to the organization to make decisions based on their circumstances.

It is always advised to involve law enforcement to investigate such attacks. It is also critical to understand the security issues that made the attack possible in the first place. It is essential to figure out the shortcomings and fix them to prevent future attacks.

The FBI recommends organizations proactively create caches of dummy data. These fake data collections make it difficult for attackers to gain access to the files that are genuine during a hack.

Preparing for job interviews? Have a look at our blog on Cyber Security interview questions and learn more!

Protection Against Maze Ransomware Attacks

The thing about Maze Ransomware or any other cyber threat for that matter is that it evolves. The best defense against an evolving threat is proactively taking precautions and having preventive measures in place. It is often too late to recover from encrypted data by malware or hackers.

Here are a few tips for preventing ransomware attacks:

1. Updating software and operating systems

Having updated software and operating systems are essential to help protect systems and networks from malware. Any new patches and updates for software, internet browsers, and browser plugins should always be applied once released. Running an update will help you make use of the latest security patches. This makes it harder for cybercriminals to exploit vulnerabilities and attack the system.

2. Using security software

A holistic internet security solution can protect computers against ransomware. During downloads or streams, the security software will prevent infected files and ransomware from infecting the computer thus, keeping hackers at bay.

3. Using VPN to access the network

Instead of exposing your Remote Desktop Protocol (RDP) to the internet, it is good practice to use a VPN to access the network. It takes care of online privacy in addition to offering access to global content.

4. Backing up data

Making a habit of regularly backing up data to an offsite, secure location is what can make restoration of stolen data convenient. In case routine manual backup seems unreliable, there are ways to accomplish the same through automatic backups. It doesn’t end there. Backups should also be regularly tested to ensure that the data is being saved correctly and routinely.

5. Educating staff about cyber security risks

Organizations should always ensure that their staff is informed about the techniques that hackers use to infiltrate organizations. All employees should be trained and educated on the following best practices of cyber security:

Conclusion

At the end of 2020, the Maze Ransomware group made an announcement that they were not going to operate anymore and that they will no longer update their website. All the victims who wanted their data removed could reach out through their support chat. They claimed that it was all an attempt to raise awareness of cyber security.

Regardless of whether they actually disbanded or would simply go on to morph into another criminal group, the ransomware threat will always be an issue and all measures should be in place to prevent attacks.

Visit Intellipaat’s Cyber Security Community and get your questions answered by experts.

The post What is Maze Ransomware? appeared first on Intellipaat Blog.

Blog: Intellipaat - Blog

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="https://www.businessprocessincubator.com/content/what-is-maze-ransomware/?feed=html" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples

BPMN.org

XPDL.org

×