Coming back to your laptop only to find all your data encrypted and a defiant message on your screen asking you for money in return might probably be one of the scariest scenarios related to cyber-attacks. If you’re “lucky” enough to get targeted by cybercriminals, you might find out that maze ransomware is even more frightening.
If ransomware refers to a type of malware (malicious software) which encrypts all the data on a PC or mobile device, blocking the data owner’s access to it, as we explain in our Cybersecurity Glossary, maze ransomware is an even more dangerous attack, because the criminals behind MAZE also have a public website where they post the stolen data of the victims who refuse to pay the extortion fee.
As the Federal Bureau of Investigation mentions, “ransomware attacks are becoming more targeted, sophisticated, and costly […]”. Moreover, they represent a menace for a long time, since ransomware first appeared in 1989, when it was introduced into systems via floppy disks. You can find more information about this type of attack here, and, if you’re curious, details about the ransomware payouts from last year here.
The particular maze ransomware is nowadays so alarming because, even if you do manage to get access to your essential information through backups, the criminals would still have a copy, which could degenerate into a massive GDPR issue. You might be facing a combination of a ransomware attack and data breach. As the criminals mention on their website, if the ransom is not paid, they will:
– inform the media and offer details about your security breach;
– sell the valuable stolen information on the dark market;
– inform the stock exchanges on which your company might be listed about the attack and the loss of sensitive information;
– inform your clients and partners that your company was attacked and use the stolen information to attack them as well.
How can Maze Ransomware infect your devices?
First known attacks of maze ransomware took place in May 2019. The criminals initially distributed the ransomware via spam e-mail and exploit kits, but now they use a variety of tactics, techniques and procedures. They might even hire actors to analyse their next victim’s organisation and determine its annual revenue. The e-mails they were sending had “Missed package delivery” and “Your AT&T wireless bill is ready to view” at the subject line and were sent using several malicious domains with the registrant address [email protected].
Once the maze operators find a gap in a network, their next step is to obtain elevated privileges, conduct lateral movement and then begin to deploy file encryption across all drives, not before exfiltrating the data they discover. The data is encrypted using the ChaCha20 and RSA algorithms. After all the targeted files are encrypted, the malware will change the desktop image to something like:
Source: PCrisk.com
PCrisk explains:
Exploit kits are tools used to initiate ‘exploits’ against vulnerable (usually outdated) software or to inject malicious code into vulnerable websites. Other ways to proliferate ransomware-type programs (and other malware) are via emails, Trojans, untrustworthy software download channels, software ‘cracking’ tools, and fake updaters. Emails/spam campaigns can be used to infect computers through files that are attached to email messages. Typically, cybercriminals attach Microsoft Office documents, archive files (ZIP, RAR), executable files (.exe and other files of this kind), PDF documents, JavaScript files, etc. Their main goal is to trick recipients into opening the attachments. If opened, they infect systems with malware. Another way to proliferate infections is via Trojans, which are malicious programs. If already installed, they open backdoors for other malware. In this way, they cause chain infections. Examples of untrustworthy download sources are file hosting, freeware download websites, Peer-to-Peer (P2P) networks such as torrent clients, eMule, and other similar channels/tools. Cybercriminals use them to upload malicious files that are disguised as legitimate or harmless. By downloading and opening/installing them, many people install malicious programs inadvertently. Software ‘cracking’ tools are used by people (illegally) to avoid having to pay for activation of licensed software. In fact, these tools often install malware rather than activating any installed software free of charge. Fake (unofficial) software updating tools cause damage by exploiting bugs/flaws of outdated software that is already installed on the system, or simply by installing malicious programs rather than updates.
After receiving the message that notifies you that your files had been compromised, you will be told that you
[…] must pay the ransom through a website link, which can be opened with the Tor browser. Another way to make payment is to use another website (the link is also provided in the ransom message), which can be opened with any browser. In any case, it is made clear that victims cannot decrypt their files without the correct tool/key. The Tor website states that victims must pay $500 in Bitcoins using the BTC wallet address provided. It is mentioned that, unless victims pay the ransom within a particular time frame (a countdown timer is displayed at the top of the Tor web page), the size of the ransom is doubled. It is possible to decrypt three files free of charge through the same website. Generally, cybercriminals offer free decryption to ‘prove’ that they have tools/keys capable of decoding files.
Maze Ransomware Attack Examples
1. The Allied Universal Attack
No company is safe as long as the Maze group is out there. Allied Universal, a security staffing firm, learned this in November 2019. The Maze ransomware group published about 700 MB of stolen data after the ransom deadline they offered was surpassed. They said this only represented 10% of what they have stolen.
2. The Hammersmith Medicines Research Attack
On the 14th of March 2020, the IT staff of Hammersmith Medicines Research discovered a severe attack. The company, which at that time was on standby to carry out trials of a possible future vaccine for the Covid-19 coronavirus and have previously carried out tests to develop the Ebola vaccine and drugs to treat Alzheimer’s disease, was one of the many victims of the Maze cybercriminals. The medical company refused to pay the ransom, and personal details of former patients were published, although the Maze group had made a public promise not to attack medical research organisations during the coronavirus pandemic only a few days before.
Source: ComputerWeekly.com
In regards to how the Maze group got into HMR, it would appear that the company used a Fortinet VPN Server that may have had a vulnerability.
3. The Xerox Attack
At the beginning of this year’s July, the Maze ransomware group claimed to have stolen more than 100 GB from Xerox, the giant printing company. As crn.com says, “the hackers appear to have stolen financial documents and databases possibly storing user information, according to SecurityWeek. The dates shown in the screenshots suggest that the ransomware started encrypting files on Xerox computers on June 24 […]”.
As Microsoft says,
So far the attacks have affected aid organisations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organisations should be vigilant for signs of compromise.
Maze Ransomware Precautions
This vigilance Microsoft mentions can – and it’s recommended to – come in many forms:
1. Patch the OS and the software you use
The OS, security software (antivirus, firewall) and any other software (including Internet browsers) your company uses should always be updated and patched, since cybercriminals can’t wait to find software vulnerabilities to use in their advantage. Our X-Ploit Resilience technology can help you achieve compliance, mitigate exploits, close vulnerabilities, deploy updates, and install software anywhere in the world, according to any schedule. Our tool covers both Windows and 3rd party application management and includes customisable set-and-forget settings for automatic deployment of software and updates. To better understand the concept, you can read more on patch management here.
Simple Antivirus protection is no longer enough.
Thor Premium Enterprise
is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
- Next-gen Antivirus which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Protection against data leakage, APTs, ransomware and exploits;
2. Manage users and their privileges
The potential impact of a successful ransomware attack against your company can be minimised by good account management, based on the principle of least privileges and the zero trust model. If you want to automate the process, you can try our Privileged Access Management tool. Thor AdminPrivilege™ will help your system admins to approve or deny user requests from anywhere or set up an automated flow from the centralised dashboard, and all the activity will be logged for a full audit trail, so it will be crystal clear who did what and when.
System admins waste 30% of their time manually managing user rights or installations.
Thor AdminPrivilege™
is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
When it comes to password management, you should set complex ones and change them frequently, enable multi-factor authentication and generally avoid browsing or opening documents if you are logged in as an administrator.
3. Disable Microsoft Office macros
Macros are small programs that perform particular tasks, and that can start when opening a Word or Excel document. Macros and the editing mode should not be enabled by default upon execution of a document, especially in the case of the ones received via e-mail. As we have mentioned before, the modus operandi of the Maze group heavily relied on e-mail compromise, so it’s a must to be extra careful.
4. Keep your antivirus updated
It goes without saying that your company’s cybersecurity is not complete without an antivirus solution which, obviously, must always be up to date if you want to be protected. Our Thor Premium Enterprise is a multi-layered security suite that brings together threat hunting, prevention, and mitigation in one package, for the best endpoint protection. It combines the power of Thor Foresight and Thor Vigilance, so you will enjoy both revolutionary technologies like DarkLayer Guard, VectorN Detection and X-Ploit Resilience, plus a powerful firewall and process behaviour-based scanning.
5. Browse securely
To avoid becoming the next victim of maze ransomware, always be careful when browsing. You should always update your browser, block ad pop-ups, avoid installing extensions you do not know much about and don’t forget to verify if you’re visiting legitimate websites by checking the address bar (HTTPS is secure, HTTP not so much). Also, if you or your employees are keen on using web applications, don’t forget to learn more about what this means in terms of cybersecurity.
6. Backup your files
Backups are crucial if you want to be able to use your data in case of a maze ransomware attack. You should enable automatic backups for your employees and protect them with unique complex passwords. It’s essential to use a combination of online and offline backups.
7. E-mail Security
Since Maze ransomware was first distributed via spam e-mails, it’s obvious why you must be extra careful with all the messages you receive. Firstly, you should enable multi-factor authentication to make sure that all logins are legitimate and set password expiration dates. Secondly, you should never open attachments or access links received from unknown, unexpected or unwanted sources. You should also think about an e-mail protection solution, like our MailSentry E-mail Security.
Email communications are the first entry point into an organization’s systems.
MailSentry
is the next-level mail protection system which secures all your
incoming and outgoing comunications
- Deep content scanning for attachments and links;
- Phishing, spear phishing and man-in-the-email attacks;
- Advanced spam filters which protect against sophisticated attacks;
- Fraud prevention system against Business Email Compromise (BEC);
8. Train your employees
Technology can help, but people are the ones who use it, for good or for bad – that’s why it’s so important that your employees know what’s safe and what’s not in terms of cybersecurity. User awareness is one of the most reliable methods to prevent an attack, so make sure you take the time to educate your employees and advise them to report to the security teams as soon as they notice something unusual.
9. Check for unusual behaviours
Checking for unusual behaviours and alerts should become a priority for any company. Microsoft advises paying attention to:
– Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities.
– Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials.
– Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data.
10. Investigate affected endpoints and credentials
If any of your endpoints got affected, identify all the credentials used on them and assume that all of them were available to and compromised by the attackers. You should check the Windows Event Log for post-compromise logons.
Should you pay the ransom if all these precautions ever fail and you become a victim of maze ransomware?
Although this decision is entirely up to you, we would not recommend it. As the FBI says,
In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.
Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.
Regardless of whether you or your organisation have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable […], and prevent future attacks.
Moreover, bear in mind that, even if you do pay the ransom, the security issues that allowed cybercriminals access to your company are still there and you still have to fix them. It’s better to adopt a prevention attitude from the start.
Also, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it.
Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!