We will cover the following topics to learn about Maze Ransomware in detail.
Learn everything there is to know about Cyber Security course from this video by Intellipaat.
What is Maze Ransomware?
Maze allegedly operates through an affiliated network where the developers share their earnings with several groups that deploy the ransomware across different networks. The major concern with Maze Ransomware is the fact that the Maze operators take advantage of the organizational assets in one network to move over to others laterally.
If the affected organization is an IT services provider, it opens up a whole new box that catalyzes further attacks on the hundreds of customers that rely on these IT services.
Maze Ransomware is a strain of Windows ransomware that demands payment in cryptocurrency in exchange for the safe recovery of encrypted data. If payment is refused by any victim, the criminals leak all their confidential data. Similar behavior is increasingly seen in newer forms of ransomware.
How does Maze Ransomware work?
The distribution of Maze is typically done through spam emails with malicious links or attachments, Remote Desktop Protocol (RDP) brute force attack, or by using an exploit kit. There are cases when the attack comes from an organization’s partners or clients who have themselves fallen victim to hackers.
Once Maze has access to a network, gaining elevated privileges is the next objective so that file encryption can be deployed across all drives. Since Maze also steals data and leaks them to servers that are controlled by hackers, it is even more dangerous as victims can be threatened based on this.
Although it is possible to restore the data from a secure backup provided the backup has not been compromised, it still doesn’t do any good that the attackers now have a copy of the data. Maze can essentially, be considered a combination of a data breach and a ransomware attack.
Let’s review the techniques used by Maze Ransomware:
Initial Access
In most cases, Maze operators use valid credentials to log in to the network with the help of internet-facing servers (either RDP or a Citrix/VPN server). Although how the initial credential was compromised is not known, the standard methodologies include guessing weak passwords or spear-phishing using emails containing malicious macros.
Reconnaissance
Once a machine in a network is compromised by malware, the whole network is scanned for vulnerabilities. It scans the network configuration, open SMB shares, accounts, domain trusts, permissions, and other various Active Directory attributes. The scans are sometimes, done with popular open-source tools like BloodHound, Adfind, smbtools.exe, PingCastle as well as built-in Windows commands.
Get our Certified Ethical Hacking Course and master Ethical Hacking from scratch!
Lateral Movement/Credential Access
The malware takes a few days to gain intelligence on the network and then starts moving in the network laterally. The easiest targets are credentials in the compromised machine.
Maze also scans for files that contain plaintext passwords. If these are not accessible, it then moves around the network with the help of LLMNR/NBT-NS Poisoning. This helps steal network packets for NTLM cracking later and/or NTLM relay attacks.
If none of these techniques work, the Maze Ransomware tries brute-forcing user/service accounts to find weak passwords. Once a credential is found to be valid, Windows interfaces like WinRM, SMB, and RDP are used for Maze to move laterally and execute code on remote machines.
Privilege Escalation
Privilege escalation involves the attacker moving laterally to new machines and then again using the same techniques, finding new credentials to compromise and move to other machines. Once domain admin credentials are found, this kind of lateral movement stops. At this point, any machine in the network can be compromised.
Persistence
The malware operator tries to maintain its presence in the network for as long as possible. This is possible by adding various backdoors and passages. This helps retake control of the network in case the malware is detected and removed. Maze mainly captures as many user credentials as possible and creates new privileged accounts in the network.
Learn Cyber Security and Ethical Hacking, and start your journey in Cyber Security.
Maze Ransomware Website
The creators of the Maze Ransomware host a website where they list their victims (or “clients”). This website frequently has published samples of data that is stolen. It includes details of the date that victims were hit by the attack as well as the links to the stolen data and documents that are downloadable as a “trophy”.
Ironically, the website features the slogan “Keeping the world safe” and much provocatively, includes sharing options on social media to share details of the data breaches. If the ransom is not paid, the Maze Ransomware website warns victims that they will:
- Make the security breaches public and inform the media
- Sell the stolen data that has commercial value on the dark web
- Inform stock exchanges about the breach and drive down the share price of the company
- Target the clients and partners of the company as well as notify them of the attack
The Root Cause
Most of the time, these malicious activities are executed using valid user credentials acquired through various means. Maze targets passwords in local drives and sometimes, it compromises accounts that have weak passwords using brute force and credential scanning methods.
Sign up for Intellipaat’s Cyber Security Course with Placement Assistance and learn from industry experts.
Maze Ransomware Examples
Cognizant Maze Ransomware Attack
One of the most well-known Maze ransomware attacks was the one that targeted Cognizant. This Fortune 500 giant was attacked and services to its customers were disrupted as a result. The attack encrypted and disabled some of its internal systems and forced it to take other systems offline.
The Cognizant attack took place during the Covid-19 pandemic when everyone was working remotely. The malware disrupted computer systems that supported virtual desktop infrastructure making it difficult for the employees to work. The attack deleted Internal directories and email access was lost as well.
In the immediate aftermath of the Maze Ransomware attack on Cognizant, the company lost between US$50,000,000 and US$70,000,000. There were further incurred costs for full restoration of its computer systems.
City of Pensacola Maze Ransomware Attack
Pensacola, Florida was attacked by Maze Ransomware at the end of 2019. The group held the stolen data against a ransom of US$1,000,000. More than 32GB of data was claimed to be stolen from the city’s systems. As proof of the attack, they leaked 2GB of data.
Xerox Maze Ransomware Attack
In July 2020, the operators of Maze Ransomware claimed that they had infiltrated Xerox’s systems. They threatened to leak their data unless the ransom was paid. As proof of the data breach, a series of ten screenshots were posted on their website indicating that they were in possession of data related to customer support operations.
Canon Maze Ransomware Attack
In the August of 2020, Canon had fallen victim to a Maze ransomware attack. Up to 10TB of Canon’s data was exfiltrated, and around 25 different Canon domains and several internal applications were affected, including collaboration services and e-mail.
Data is a crucial thing and keeping it safe is important. Learn how to keep data safe by enrolling in Cyber Security Training in Bangalore.
Get 100% Hike!
Master Most in Demand Skills Now!
Should you pay the ransom?
An important question is—should the ransom be paid? It is best not to. Paying the ransom will only encourage more similar attacks in the future. Of course, it is not easy to make the call when sensitive data is involved—not just the organization’s but also clients’ and partners’. Ultimately it is up to the organization to make decisions based on their circumstances.
It is always advised to involve law enforcement to investigate such attacks. It is also critical to understand the security issues that made the attack possible in the first place. It is essential to figure out the shortcomings and fix them to prevent future attacks.
The FBI recommends organizations proactively create caches of dummy data. These fake data collections make it difficult for attackers to gain access to the files that are genuine during a hack.
Preparing for job interviews? Have a look at our blog on Cyber Security interview questions and learn more!
Protection Against Maze Ransomware Attacks
The thing about Maze Ransomware or any other cyber threat for that matter is that it evolves. The best defense against an evolving threat is proactively taking precautions and having preventive measures in place. It is often too late to recover from encrypted data by malware or hackers.
Here are a few tips for preventing ransomware attacks:
1. Updating software and operating systems
Having updated software and operating systems are essential to help protect systems and networks from malware. Any new patches and updates for software, internet browsers, and browser plugins should always be applied once released. Running an update will help you make use of the latest security patches. This makes it harder for cybercriminals to exploit vulnerabilities and attack the system.
2. Using security software
A holistic internet security solution can protect computers against ransomware. During downloads or streams, the security software will prevent infected files and ransomware from infecting the computer thus, keeping hackers at bay.
3. Using VPN to access the network
Instead of exposing your Remote Desktop Protocol (RDP) to the internet, it is good practice to use a VPN to access the network. It takes care of online privacy in addition to offering access to global content.
4. Backing up data
Making a habit of regularly backing up data to an offsite, secure location is what can make restoration of stolen data convenient. In case routine manual backup seems unreliable, there are ways to accomplish the same through automatic backups. It doesn’t end there. Backups should also be regularly tested to ensure that the data is being saved correctly and routinely.
5. Educating staff about cyber security risks
Organizations should always ensure that their staff is informed about the techniques that hackers use to infiltrate organizations. All employees should be trained and educated on the following best practices of cyber security:
- Never opening email attachments from unknown senders and assessing whether it looks genuine before opening it
- Avoiding clicking links attached to spam emails or unfamiliar websites
- Avoiding software or media file downloads from unknown websites
- Never receiving calls, texts, or emails from untrusted sources that ask for personal information
- Using endpoint security together with behavior detection and automatic file rollback
- Only using secure technology for remote connections in an organization’s local network
- Enabling multi-factor authentication
- Strong passwords for the protection of accounts and sensitive information
- Encryption of all sensitive data wherever possible
Conclusion
At the end of 2020, the Maze Ransomware group made an announcement that they were not going to operate anymore and that they will no longer update their website. All the victims who wanted their data removed could reach out through their support chat. They claimed that it was all an attempt to raise awareness of cyber security.
Regardless of whether they actually disbanded or would simply go on to morph into another criminal group, the ransomware threat will always be an issue and all measures should be in place to prevent attacks.