In this Article
What is Maze Ransomware?
Maze Ransomware, also known as ChaCha Ransomware was discovered on May 29, 2019, wreaking havoc on businesses. Maze is part of a new ransomware strain that steals and encrypts data and then demands a ransom. The attackers threaten to release the information on the internet unless the ransom is paid. Unfortunately, even if an organization backs up their data, they still must deal with the potential public leak. These attackers have a website that reveals their uncooperative victims and samples of their stolen data.
India, as indicated by a few reports, was among the top victims in the SamSam ransomware assault of 2015, is still among the top victim nations, which is the reason advisories can go a long way in preventing widespread damage.
Recently cognizant technologies suffered a ransomware attack which results in loss equivalent to $50 – $70 million dollars. So, what is this Maze ransomware? let’s talk about it more in detail.
How does the MAZE RANSOMWARE infect an organization at the very beginning?
The attackers use a variety of different techniques to attack your network. This can include exploitation of known vulnerabilities that have not been patched or zero-day vulnerabilities, remote desktop connections with weak passwords, malicious E-mail attachments, or links. In some cases, the attack may actually come from your client’s compromised network or partner who has already fallen victim to the hackers.
How does It work? (Maze Ransomware Vector)
Maze is known to be distributed via the help of a fake website that hosts the Mobile Bitcoin Wallet app under the same name. Folks who want to have the application will end up being redirected to a Fallout exploit kit (a trap) which, under certain conditions will execute malware’s payload (malicious code) without users’ interaction or consent.
After encrypting files stored on the system, Maze virus will display a ransom note DECRYPT-FILES.html asks victims to pay a ransom in BTC aka Bitcoins and contact bad actors (hackers) via firstname.lastname@example.org. Also, the malware will change the background on the desktop, displaying another message from hackers. The latest version of Maze virus shows a different wallpaper depending on the computer type (e.g. personal computer, backup server, server in a corporate network, etc.), which essentially changes the decryptor price or ransom.
Once the payload (malicious code) of Maze is executed, it will contact 2 domains and 15 hosts, manipulate the Windows registry, delete Shadow volume image to complicate the recovery process, and execute other malicious tasks required for its operation.
After establishing itself and encrypting the files, Maze will display the following note:
- Unusual activity in event logs should be investigated immediately. Ensure there is a password reset for all accounts in case of compromise.
- Include rules that block credential theft and ransomware activity.
- RDP should be shut off if not being used.
- Update consistently and patch vulnerabilities.
- Backup data regularly and store externally.
- Implement password management processes.
We hope that the above article gave you enough information about the New Malware in Town: MAZE RANSOMWARE. If you have any questions or doubts, feel free to ask in the comment section. We promise to respond as soon as possible.