Maze ransomware, previously known as ‘ChaCha’, has been circulating since mid-2019. It is a new-age ransomware that continually evolves to have devastating impacts on the affected organizations and users.
What makes Maze especially dangerous and sophisticated in its approach is the fact that, unlike traditional ransomware which only encrypts the local files of the victim, the intention of Maze is not only to encrypt but to avoid detection and to ship those files to remote networks and servers of the attackers.
The sophistication of Maze also comes from the way it is developed, distributed, deployed and spoils shared among its perpetrators. Maze is believed to work as an affiliate model whereby the attackers who develop it, ‘loan’ it to other attack groups that deploy it to victims in different ways and when ransom is successful, the commission is paid out among the hierarchy of attack groups.
Another level of sophistication and enhanced danger comes from the way the perpetrators behave once they have shipped the data of their victims to their own servers. These perpetrators maintain a public facing website which is used to put pressure on victims to pay up. They publish their website to the victim to prove to them that they indeed have their data and if victims do not pay to their satisfaction then they tend to release the entire data of their victims on the website to be viewed publicly.
How it works
The most common vectors that Maze Ransomware use to breach a victim are weak external remote services and phishing email campaigns. The weak external remote services can be a combination of internet facing applications that have unpatched exploitable vulnerabilities. Some examples of such services are Citrix, Windows RDP, FTP, Telnet and custom organization developed applications. The phishing email campaigns target human vulnerabilities in the victim organization where they lure users to click on malicious links or download a legitimate-looking malicious attachment.
Another less common vector is to intrude the organization from an already infected business partner or client of that organization using the existing established communication channels between them.
Once the infiltration is successful, the ransomware is programmed to fork into three main threads. The first one hunts for weaknesses in the victim’s system and network to propagate itself laterally across the victim organization. The second works to decrypt the local files of each infected host. The third works on establishing a secret channel and shipping the stolen data to the remote network and servers of the attackers.
Once the attackers are successful in obtaining a copy of the victim’s data, a ransom note is typically shown on the affected system which provides the way of paying the ransomware in cryptocurrency and a URL (web) link of a website where the user can view a sample of their stolen data.
What are the risks?
Given the sophistication of Maze and the way the attackers use it, the risks to an organization are increased exponentially.
The biggest risk is publishing of sensitive data on the internet which not only causes huge reputational damage and embarrassment but also potential lawsuits. Another significant risk is the business disruption due to inaccessibility of data and systems.
Who are the targets?
The first reported Maze ransomware attacks were from organizations based in North America, Germany & Italy ranging from public services, government agencies, financial, insurance services, and construction businesses. However, due to its affiliate model, it has quickly spread to other organizations based in North America, Europe, Asia and Australia. The most recently affected organizations include IT services company Cognizant, financial services provider Xero, chip maker MaxLinear and consumer electronics maker LG.
How can it be prevented?
Boards and executive management should have visibility over the health of the organisation’s security program. This includes measures and metrics to ensure system owners are maintaining the security and currency of hardware and software, and metrics on the general awareness of the entire company, as a starting point.
Considering the attack vectors applied for this type of attack, the following mitigations are recommended to protect your organization from Maze Ransomware infection:
Years of experience, a highly skilled team and a comprehensive suite of services reduce the risks you face, and take the stress of security management out of your hands.