The Maze ransomware also known as the ChaCha ransomware has been around for a short time. Cisco Talos provided a deep look at Maze back in December (summary found HERE). Cognizant was recently infected, which has been making headlines around the world. Maybe its time to take a second look at Maze?
Livemint posted a short summary of Maze. The original post can be found HERE.
As more organizations switched to remote working due to lockdowns, there has been an increase in cyberattacks ranging from phishing scams to ransomware attacks.
Leading IT services provider Cognizant was recently targeted by a ransomware attack. The company confirmed a security incident involving their internal systems, leading to disruption of services for some clients due to Maze ransomware attack.
Also known as ChaCha ransomware, Maze was discovered in May 2019 by Jerome Segura, a malware intelligence analyst.
Though Maze ransomware organization has denied its involvement in the attack, security experts don’t seem convinced. “The ransomware has still been categorized as Maze because the listed IOCs included IP addresses of servers and file hashes for the kepstl32.dll, memes.tmp, and maze.dll files. These are known to be used in previous attacks by the Maze ransomware actors,” said Saket Modi, co-founder & CEO of Lucideus, a cybersecurity company.
This is the second major cyberattack involving the Maze ransomware on an organization in a month’s span. In March, Chubb, a cybersecurity insurance company, reported a security breach which is believed to be the handiwork of Maze ransomware group.
Interpol has also warned health organizations across the world to brace themselves for a possible attack involving nefarious ransomware, even though the Maze ransomware group has reportedly assured that they won’t be targeting healthcare and medical facilities for the time being.
How does Maze operate
McAfee Labs’ research on Maze shows that the ransomware is mainly spread through exploit kits such as Fallout and Spelevo; desktop connections with weak passwords; phishing emails impersonating government agencies. For instance, in the October cyberattack on Italian organizations, emails were sent with a Word attachment that used macros to run the malware in the system.
According to McAfee, this malware is hard programmed to prevent reverse engineering of its codes, which makes static analysis by security researchers more difficult.
Reverse engineering is a common practice used in cybersecurity to understand how a given program, like the malware in this case, works.
What makes Maze dangerous?
A typical ransomware attack which encrypts all files and then locks them down to prevent access until the owner or organization has paid the ransom. What makes Maze ransomware unique is the fact that before encrypting files it steals a significant amount of data and sends them to a remote server controlled by the attacker. The objective is to sell the data on DarkWeb if the organization or individual refuses to pay the ransom amount.
Who is behind Maze?
Security experts have yet not been able to trace the country of origin of the maze ransomware. During their examination, McAfee Labs found some of the IP addresses belonged to Russian Federation. However, it is not enough to confirm the country bits come from, IP spoofing is a common practice used by attackers to deliberately misdirect investigations and even cause disharmony among two states.
What can organizations do to protect themselves
Modi points out, one can avoid paying ransoms as long as they have all important data backed up properly. However, to protect their systems from any such attacks, organizations need to improve their security posture.
“These are exactly the situations why the industry needs to adopt a proactive, real-time and quantifiable approach to cybersecurity. Cyber risk quantification platforms can help organizations get a clear view into the cyber risk posture in real-time, allowing them to prioritize cybersecurity projects and investments,” added Modi.