Malware analysis

Maze ransomware

Introduction

One of the many recurring themes in cybersecurity echoes one of the great mottos in life of “the only thing constant is change.” Ransomware is no exception to this rule, and this is best demonstrated by new types of ransomware which are redefining what this category of malware is capable of. Attackers leverage these new ransomware types to push their attacks further with devastating results. 

This article will go into detail about the Maze ransomware and will explore what Maze is, how Maze is different from other types of ransomware and how Maze works. It will also highlight some real-world examples of this malware in the wild. Those researching malware will find this article to be the go-to guide to Maze that they’re searching for.

What is Maze?

Maze, also known as ChaCha, is ransomware that was first observed in May 2019. At first, Maze was a rather unremarkable instance of ransomware that was involved in extortion campaigns. Beginning around October of 2019, Maze became more aggressive and more public. 

Going a step beyond nearly any malware ever seen, in November of 2019 Maze began publicly outing their campaign victims by posting the names of the companies that have not complied with their ransom demands. Attack campaigns employing Maze typically pose as legitimate government agencies and security vendors to steal and encrypt data to then attempt to extort the data owner. 

Maze is used as a part of a multi-pronged cyberattack. Generally speaking, Maze is observed appearing in the second or third step of these campaigns and is less likely to be used as an initial access technique. 

What makes Maze different from other ransomware?

If anything can be said about cyberattacks in the last five years or so, ransomware has really moved into the forefront of important attacks. It ramped up in frequency during 2016. You would be hard-pressed to read the news and not hear of some bold ransomware campaign bringing a targeted company to its proverbial knees.

With this said, another glaring observation is the seeming one-dimensional nature of ransomware attacks. Until now, most ransomware attacks have only encrypted data local to the victim’s targeted environment. While this can indeed be a scourge for organizations that are not the most information security-savvy, it should be noted that many ransomware victims have been successful in decrypting their data without giving in to the attack group’s ransom demands. 

Maze’s functionality far exceeds this traditional ransomware approach by using a 1-2-3 combination of:

1. Encrypt
2. Exfiltrate
3. Extort

When comparing Maze to most of the other ransomware out there, the clear difference is its abilities to both exfiltrate the encrypted data and extort the victim. The end result of this is the ability to hit victims with what has been described as a ransomware “double whammy” — whereas most ransomware mere encrypts local victim data, Maze can apply more pressure to victims by threatening to leak sensitive data. 

This threat should be taken seriously, as Trend Micro researchers have noted that attack groups using Maze have made good on this threat and indeed released sensitive victim information to the public via “name and shame” websites. Occurring in mid-December of 2019, this leaking entailed posting documents and raw databases belonging to noncompliant victims.

How does Maze work?

“Work” is a bit subjective here, as different malware types do different things — depending on their code — to tell them what to do. Since ransomware only needs to gain entry to a system to work, gaining this entry is far more than the proverbial “half the battle” and more like the battle itself.

Unlike other ransomware that typically uses social engineering and spam email campaigns to gain entry to a targeted system, Maze uses exploit kits via drive-by downloads. As you know, exploit kits are a compilation of known software vulnerabilities that, taken as a whole, serve as an all-in-one exploit tool kit. 

Don’t get me wrong here — I know that exploit kits are not new in any sense. However, in the realm of ransomware, exploit kits are unheard of aside from Maze. 

One of the exploit kits Maze uses is called Fallout, which uses various exploits found on GitHub. One of these vulnerabilities is a Flash Player exploit, CVE-2018-15982. Fallout is a relatively new exploit kit that uses PowerShell instead of the web browser to run its payload. Maze has also been observed using Spelevo, another exploit kit.

Real-world examples of Maze

Although relatively new, there are quite a few real-world examples of Maze worth mentioning. Below are two notable ones.

Southwire

This Georgia-based wire and cable manufacturer was attacked by Maze in December 2019. After five days of not complying with the $6 million ransom, the Maze attack group published the data that it encrypted and stole from the victim. Maze was used to steal 120GB of data from Southwire as well as encrypting 878 devices.

City of Pensacola, Florida

December was a busy month for the Maze attack group — one of its largest campaigns in terms of scale and, ultimately, effect was against the city of Pensacola, Florida. Maze claimed to have compromised the city’s finance, treasury, executive, risk management, legal, housing and human resources departments. 

For some unknown reason, the Maze group did not make good on its threat to publish sensitive information and posted the list of leak data and hosts to serve as proof of the attack. This is beyond uncommon for a ransomware attack.

Conclusion

Ransomware has been around for a few years now and we are starting to see instances of this type of malware that break the mold and forge a new direction. Maze differs from other ransomware in many significant ways — from its capabilities to the heart of the ransomware attack itself, gaining entry. 

It will be interesting to see if other ransomware begins to use exploit kits as infection vectors like Maze or if this practice remains the exception to the rule. 

 

Sources

1. Maze Ransomware Exploiting Exploit Kits, Security Boulevard
2. Maze Ransomware Update: Extorting and Exposing Victims, Sentinel Labs
3. MAZE Relaunches “Name and Shame” Website, Infosecurity Magazine
4. Ransomware Victim Southwire Sues Maze Operators, Dark Reading