Maze is a Ransomware — a malware that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of the Maze Ransomware is that it is one of the first malware of the kind to publicly release stolen data.

Type
Ransomware
Origin
Unknown
First seen
29 May, 2019
Last seen
8 August, 2020
Also known as
ChaCha
Global rank
38
Week rank
19
Month rank
21
IOCs
89

What is Maze Ransomware?

Maze, also called ChaCha, is a Ransomware — a malicious program that encrypts files of the victim and demands a ransom in exchange for a decryption key that restores information. A defining feature of Maze is that it publically releases sensitive files to the public unless the ransom is paid.

Maze Ransomware has been operating actively since 2019 and, unfortunately, the attack volume from this malware has been on a steady rise since that time.

General description of Maze Ransomware

It’s not a new strategy among Ransomware operators to issue threats about making the sensitive data public unless the victim gives in to the demands of the criminals. However, before the occurrence of the Maze Ransomware, most of these threats remained largely idle. They served as a psychological weapon, helping threat actors to strongarm victims into paying.

However, the situation changed drastically with Maze.

In November 2019, the group behind Maze managed to infiltrate Allied Universal: one of the leading private security companies in the US. The cyber gang claimed that they have gained complete control of the Allied network and threatened to make the data public unless the company paid up.

Allied Universal decided to ignore the demands. In reply, hackers behind Maze first contacted a well-known computer help site, asking them to publish a story about the attack to serve as a public warning. When the website declined, the Maze gang uploaded 700MB worth of sensitive information on an underground forum. The data included lists of active users, email certificates, encryption keys, and more.

In another Maze Ransomware attack, 2GB of files belonging to the City of Pensacola were made public. The attack severely damaged the computer network of Pensacola, forcing it to temporarily shut down the network. As per the data breach, Maze actors declared that the information was leaked as evidence, showing how deeply they managed to infiltrate the network.

This is a very important point about Maze. Researchers should note that largely after Maze’s occurrence Ransomware attacks can be considered data breaches, as more and more Ransomware strains gain the ability to infiltrate networks and perform data-stealing activities before encrypting the files.

Furthermore, with the case of Maze Ransomware, even backups are not safe. Actually, sometimes they become a week point. Maze creators revealed that after infecting the initial endpoint, their Ransomware targets cloud backups by laterally spreading through the network and stealing needed credentials. This is useful for threat actors not only because it allows deleting the backup before encryption, but also because that backup most likely contains the most valuable data.

Unfortunately, this tactic has proved effective as at least one company fell victim to it and lost their backups. Of course, an incident like this can only happen if backup credentials are stored in the compromised network, thus correct backup configuration is incredibly important.

It should also be noted that Maze uses several advanced code obfuscation techniques that make static analysis very complicated. Threat actors behind the Maze Ransomware evidently stay on top of the progress done by security researchers on their malware. They contact cybersecurity media and like to tease industry professionals and play cat and mouse.

Maze malware analysis

In this video recorded in the ANY.RUN interactive malware hunting service we can view how the Maze Ransomware execution unfolds.

maze_ransomware_process_graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

maze_ransomware_note

Figure 2: Wallpapers with ransom message set by Maze

Maze Ransomware execution process

The execution process of the Maze ransomware is kind of typical for this type of malware. After the executable file makes its way into an infected system and runs, the main malicious activity begins. After the start of execution, the Ransomware deletes shadow copies. After it encrypts all targeted files, Maze drops a ransom note on the desktop. It also often changes the wallpaper to its own with a ransom text.

Notably, just like Sodinokibi aka REvil ransomware, this family has a similar infrastructure — websites with "tech support", information about cryptocurrency and ways to buy it, trial decryption and chat. Crooks behind the Maze ransomware are also kind of cocky and post on links to the information about their successful attacks on their website.

Maze Ransomware distribution

Maze Ransomware is distributed using several different ways. It has utilized the Spelevo and Fallout exploit kits and one of the vulnerabilities that Maze is targeting is the CVE-2018-15982 vulnerability in Flash Player. It is also worth noting that in the case of the Fallout kit, the users were redirected to the exploit from a fake cryptocurrency trading platform.

Another observed attack vector is via email spam campaigns containing a Microsoft Office document with a malicious macro.

How to detect Maze ransomware?

Maze ransomware can be detected by many different activities — sometimes it creates certain files or it can be detected by Suricata network threats. The most common is Maze ransom note — not only does it have similarities with notes from other tasks, but it also contains self-defining strings: maze ransomware, mazedecrypt, and maze key.

Analysts can take a look at these notes by using ANY.RUN Static Discovering. Click on the "Files modification" tab, then find the file with the name such as " DECRYPT-FILES.txt". To take a look inside this file just click on it.

If you find word combinations such as "maze ransomware", "mazedecrypt" and "maze key", then be sure this sample is Maze ransomware.

how_to_detect_maze_ransomware

Figure 3: How to detect Maze ransomware by its ransom note?

Conclusion

Maze Ransomware is a significant threat to organizations and private users. This ransomware not only encrypts information but also strong-arms the victims into paying the ransom, threatening to release sensitive information. Unfortunately, Maze launched a little bit of a trend among threat actors and more and more Ransomware in the wild are starting to exhibit similar behavior.

The situation is further complicated by advanced code obfuscation techniques that the Maze Ransomware features, making the static analysis process quite difficult. Thankfully, interactive malware analysis services like ANY.RUN allows to carry out dynamic analysis almost as quickly and easily as static, giving researchers a chance to collect invaluable information about this Ransomware.

IOCs

IP addresses
91.218.114.32
91.218.114.26
91.218.114.4
192.168.100.27
192.168.100.102
192.168.100.185
192.168.100.9
192.168.100.96
192.168.100.49
91.218.114.79
91.218.114.77
91.218.114.38
91.218.114.37
91.218.114.37
91.218.114.31
91.218.114.25
91.218.114.11
192.168.100.51
192.168.100.3
192.168.100.119
Hashes
18f03c65bf58549e8e230b8ef8595287fe51db0e5e411adfeaf261f87574543e
68c28f3a67ca48153c40cbdc1da62c6665f3d82663dc627be421c73a25f9fbcb
c1142340db4f1f423fc1cce14e657dd5861c9eb59788dec6d4c54ea227a437b9
d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125
f03172bd32ed16df6dda8e8146d24b073b864da59d669218fcc5e97835a5e956
ac457fc7c907ca04a4aa2e243d4b5120c58d338b44771c84e0d282d625d463a0
20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acd
78fb8d34cf3e034fbbaefd8f7587bd364a000a1e12c4a6fa45e192d56b93a25a
dee863ffa251717b8e56a96e2f9f0b41b09897d3c7cb2e8159fcb0ac0783611b
7656d6519e0305bd95d4228387ffcd7b419ed7ede733b077755d1773f24302b1
f65722a5c638266b43258c6787eb69ccd8d94e149d68444f8194f448f232da0d
5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353
9be70b7fe15cd64aed5b1adc88c2d5270bce534d167c4a42d143ae0059c3da1c
bba288819f375cbdd1a274609924aeba786e1d1b43065846a85e30bc998d9015
9d86beb9d4b07dec9db6a692362ac3fce2275065194a3bda739fe1d1f4d9afc7
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f
153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
4e7a56714b83307f72706a1062b418786103c797fabfae68407dbef7c6b61d08
4674a5f259bdca4233d6e20c7797dd66db2a841be82dc9b73b71e04c51b546c9
Domains
lbi1.ru
i1fermer.ru

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More