Maze Ransomware

Maze ransomware, previously known as ‘ChaCha’, has been circulating since mid-2019. It is a new-age ransomware that continually evolves to have devastating impacts on the affected organizations and users.

What makes Maze especially dangerous and sophisticated in its approach is the fact that, unlike traditional ransomware which only encrypts the local files of the victim, the intention of Maze is not only to encrypt but to avoid detection and to ship those files to remote networks and servers of the attackers.

The sophistication of Maze also comes from the way it is developed, distributed, deployed and spoils shared among its perpetrators. Maze is believed to work as an affiliate model whereby the attackers who develop it, ‘loan’ it to other attack groups that deploy it to victims in different ways and when ransom is successful, the commission is paid out among the hierarchy of attack groups.

Another level of sophistication and enhanced danger comes from the way the perpetrators behave once they have shipped the data of their victims to their own servers. These perpetrators maintain a public facing website which is used to put pressure on victims to pay up. They publish their website to the victim to prove to them that they indeed have their data and if victims do not pay to their satisfaction then they tend to release the entire data of their victims on the website to be viewed publicly.

How it works

The most common vectors that Maze Ransomware use to breach a victim are weak external remote services and phishing email campaigns. The weak external remote services can be a combination of internet facing applications that have unpatched exploitable vulnerabilities. Some examples of such services are Citrix, Windows RDP, FTP, Telnet and custom organization developed applications. The phishing email campaigns target human vulnerabilities in the victim organization where they lure users to click on malicious links or download a legitimate-looking malicious attachment.

Another less common vector is to intrude the organization from an already infected business partner or client of that organization using the existing established communication channels between them.

Once the infiltration is successful, the ransomware is programmed to fork into three main threads. The first one hunts for weaknesses in the victim’s system and network to propagate itself laterally across the victim organization. The second works to decrypt the local files of each infected host. The third works on establishing a secret channel and shipping the stolen data to the remote network and servers of the attackers.

Once the attackers are successful in obtaining a copy of the victim’s data, a ransom note is typically shown on the affected system which provides the way of paying the ransomware in cryptocurrency and a URL (web) link of a website where the user can view a sample of their stolen data.

What are the risks?

Given the sophistication of Maze and the way the attackers use it, the risks to an organization are increased exponentially.

The biggest risk is publishing of sensitive data on the internet which not only causes huge reputational damage and embarrassment but also potential lawsuits. Another significant risk is the business disruption due to inaccessibility of data and systems.

Who are the targets?

The first reported Maze ransomware attacks were from organizations based in North America, Germany & Italy ranging from public services, government agencies, financial, insurance services, and construction businesses. However, due to its affiliate model, it has quickly spread to other organizations based in North America, Europe, Asia and Australia. The most recently affected organizations include IT services company Cognizant, financial services provider Xero, chip maker MaxLinear and consumer electronics maker LG.

How can it be prevented?

Boards and executive management should have visibility over the health of the organisation’s security program. This includes measures and metrics to ensure system owners are maintaining the security and currency of hardware and software, and metrics on the general awareness of the entire company, as a starting point.

Considering the attack vectors applied for this type of attack, the following mitigations are recommended to protect your organization from Maze Ransomware infection:

  • Maintain a vulnerability management program across your IT infrastructure fleet, including consistent and frequent patching, and system hardening to acceptable standards (e.g. CIS Baselines);
  • Maintain a stricter control over internet facing applications and services, especially those that allow remote access to the organization’s systems and networks.
  • Implement multi factor authentication for users that need remote access and those that need higher privileged access to systems.
  • Provide continuous education and awareness training for all users on distinguishing suspicious or malicious emails, what actions they should take, and reporting protocols.
  • Ensure there is a comprehensive security threat detection and response program in place that at a minimum covers all sensitive end points, networks, applications and provides for continuous monitoring and alerting.
  • Ensure you have a comprehensive backup regime for all critical systems and data. Test your disaster recovery along with your business continuity plans on a regular basis, considering how they would respond to this type of incident.
  • Consider Cyber Insurance. Many modern policies include coverage for ransomware.  Also consider the insurers policy on dealing with ransomware – some policies give the insurer the right to make the decision to pay a ransom, which may be at odds with your organisation’s policy.
  • Ensure you have a comprehensive cyber incident response plan in place that is tested at least annually. This includes clear roles and responsibilities for responding to an incident, ‘run books’ for responding to specific types of cyber incidents (such as ransomware) and media/communication plans to manage your communications to both internal and external stakeholders.

© 2020 MyEmpire Group Pty, Ltd All rights reserved

Managed Security