Maze Ransomware

The recent spread of ransomware has kickstarted many companies into reevaluating their current cybersecurity maturity. It has come to be generally accepted that appropriate investment in offline backups will render most ransomware attacks ineffective. The victim may still spend time and money investigating how the infection started, if and what data was exfiltrated, and how to prevent a future incident, but in the end, access to the data is not lost.

Criminals have realized that for their malware campaigns to remain effective in today's cyber landscape, they must constantly evolve their tactics and techniques. New techniques include a data exfiltration step as part of the ransomware infection. If the ransom is not paid, the attackers threaten to release the victim’s data onto the public internet. While variants of ransomware have made these threats in the past, a new ransomware known as Maze has become the first to actually publish data from alleged victims.

The Origins of Maze

The Fallout exploit kit first appeared for sale in September 2018, with a good deal of interest from the cyber crime community. An exploit kit is a way to automatically and silently exploit a victim's computer, and is often placed within a compromised website. When a user visits the site, the kit scans for any vulnerable browser-based applications that it can exploit. If the system is patched, it may attempt a social engineering attack on the user. Maze infected its first victim in October of 2019, having been spread by the Fallout exploit kit, hacked RDP connections, and phishing campaigns impersonating government employees.

The original Fallout Exploit Kit thread. There were over 125 replies of interested buyers.

How Maze Works

After gaining access to the machine, the attackers export any data they want and drop the ransomware portable executable on the computer. Following data exfiltration, the ransomware executable first deletes any backups that are stored on the computer and then encrypts all files with the ChaCha algorithm. Finally, it re-encrypts the ChaCha keys with RSA-2048, and appends each file with a random extension. A simple text file named “DECRYPT-FILES.txt” providing instructions for contacting the Maze organization is placed in each of the directories. This sequence of operations renders the data impossible to decrypt without paying the attacker.

Minutes after the portable executable runs, the user’s desktop background is changed with an explanation of what happened.

The ransom note that is dropped in all the user directories.

Each user is given a url with a unique path that corresponds to the victim. The website contains five different tabs.

A live chat to negotiate with the criminals.

The site allows for three image files to be decrypted.

Exchanges where the victim can purchase bitcoins.

Links to news articles about the ransomware.

Impact of Maze

Maze is unique in following through with the public announcement of companies that have not paid the ransom. As of Janurary 27, more than twenty five companies have been named as not paying. The operators of Maze have also listed the date the ransomware attack occured, IPs/names of the locked computers, and several files for proof such as revenue statements, account balances, service agreements, etc. None of the ten companies have made a public statement declaring a breach.

The Maze shaming website.

Schneider Downs recommends that all organizations doing business with any of the listed companies perform a risk assessment to determine if the breach could impact their own operations.

A proof file containing a list of deposits.

Nondisclosure of a data breach involving personally identifiable information (PII) can result in lawsuits, fines, and even jail time for American companies and their Boards. For countries that fall under GDPR, fines can exceed 20 million Euros. Although pay the ransom may reduce the likelihood of Maze releasing stolen data publicly, most privacy regulations still require organizations disclose the breach of PII by a criminal organization. There is currently no indication that Maze has stolen PII from any of its alleged victims.

Detecting Maze

The following indicators of compromise (IOCs) can be used to detect activity related to the precense of Maze malware.

File Characteristics:

  • SHA256 - 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1
  • SHA1 - 49cdc85728bf604a50f838f7ae941977852cc7a2
  • MD5 - 8205a1106ae91d0b0705992d61e84ab2

Connections (All Russian Servers):

  • 91.218.114.4
  • 91.218.114.26
  • 91.218.114.11
  • 91.218.114.31
  • 91.218.114.25
  • 91.218.114.37
  • 91.218.114.32
  • 91.218.114.38
  • 91.218.114.79
  • 91.218.114.77

Registry Edits:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftTracing1473359_RASMANCS
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftTracing1473359_RASAPI32
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap
  • HKEY_CURRENT_USERSoftwareMicrosoftSpeechCurrentUserLexicon
  • HKEY_CURRENT_USERSoftwareMicrosoftSpeechPhoneConverters
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsCached
  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionTaskManager

How Can Schneider Downs Help?

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We’re an authorized reseller of both Mimecast® and Carbon Black and offer comprehensive Digital Forensics and Incident Response services. For more information, visit www.schneiderdowns.com/cybersecurity or contact us at cybersecurity@schneiderdowns.com.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Facial Recognition - Future of Law Enforcement or More of the Same?
Impersonation Attacks Targeting Microsoft Teams
ProLock Ransomware Attacks Overview and Mitigation Strategies
Introducing the Schneider Downs Cybersecurity Newsletter
Ohio Unemployment Fraud Reporting Site under Attack
Stopping Ransomware Cold: Lessons from the Front Lines

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102