Insights

Maze Ransomware Mitigation Strategies in Light of Recent Attack

CyberProof CTI Team

Maze spreads through the network and locks out users while exporting data to the hackers’ servers. Historically, they would encrypt the data and demand ransom from organizations to recover it. Their techniques have morphed into threatening to publish sensitive data gathered during the attack.

The ransomware has used different attack vectors, such as sending malicious emails, using exploit kits, and attacking RDPs, to infect targeted companies around the world.

THE RECENT MAZE ATTACK

After the IT services firm was hit by Maze, the company notified its clients and provided them with related IoCs. A few hours after the attacks, a security researcher provided a YARA rule to detect the Maze ransomware DLL file.

Because of the way that Maze works, it is likely that it was present in the organization’s network for weeks, spreading slowly and stealthily throughout their system, and stealing files and credentials. Usually, once the threat actors obtain administrator credentials on the network, they deploy the ransomware – taking the first steps to encrypt data and publish a ransom note – using tools such as PowerShell Empire.

Maze Explained

Russian APT TA2101 is the cyber criminal operation responsible for Maze. When Maze originated, it was distributed via Fallout and Spelevo exploit kits, which exploited a vulnerability in Flash Player (CVE-2018-15982). Maze has also been distributed by means of malicious websites and through emails with malicious attachments, which were used to drop the ransomware’s payload.

Maze has also been detected stealing data through FTP servers by running commands in PowerShell. In some cases, the attackers first stole data from the organization’s cloud backups before encrypting the files.

Recently Maze operators have claimed responsibility on their official news website for dozens of ransomware attacks in which they demanded millions of dollars to decrypt the files. If they were not paid immediately, they published portions of the data they gathered on a Russian hacking forum.

They currently deny responsibility for the most recent attack, which follows previous precedent where they have not confirmed attacks or victims until negotiations stalled. It is possible that they will announce the attack soon and perhaps publish portions of the data they gathered, to pressure that organization into paying the ransom.

The operators published a press release this week offering tips to victims about how to act after they are attacked. The group claims to be open to price negotiations with companies that adhere to their rules.

CUSTOMIZED RANSOMS

A novel feature of this ransomware is that it customizes ransoms according to the type of device being attacked. It tries to detect if the device is a home computer, workstation, domain controller, server, etc. and then adjusts the size of the ransom accordingly.

GLOBAL VULNERABILITIES

Maze attacks have occurred in multiple countries, including the United States, the UK, Europe, the Middle East, and Asia. In the past week alone, approximately ten organizations -- both governmental and private companies -- were targeted in Maze ransomware attacks.

MAZE EXPLOITS DURING COVID-19

Maze operators have not halted attacks during the COVID-19 pandemic. Initially they claimed they would not target healthcare companies, but they recently attacked a vaccine testing facility in the UK.

MAZE MITIGATION AND BEST PRACTICE RECOMMENDATIONS

UST Global through its subsidiary Cyberproof has worked to uncover IoCs and IoAs to actively hunt for evidences of this Maze variant and to provide data protection assistance to our customers.

Here are some of the mitigations that we recommend:

• Keep applications and operating systems running at the current released patch level, ensuring the mentioned vulnerabilities are patched.
• Block RDPs from access to the Internet. Limit external connections on Port 3389 in the organization’s firewall.
• Ensure RDP is only accessible via VPN. In addition, protect the VPN by using MFA and encourage the use of complex passwords to prevent brute-force attacks.
• Consider placing RDP servers behind a restricted area of the network, such as a DMZ.
• Conduct periodic employee awareness campaigns for suspicious emails and attachments; educate your users on how to spot and avoid phishing and malspam. Teach users to be suspicious of emails that have a sense of urgency, or that ask the user to bypass standard procedures and common sense.
• Create an effective backup strategy by following the 3-2-1 rule:
  1. Create at least 3 copies of the data.
  2. Save them in 2 different storage formats.
  3. Ensure that at least 1 saved copy is located off-site.
• Adopt strong passwords throughout the network.
• Consider network segmentation to separate important processes and systems from the wider access network.
• Monitor and audit network traffic for any suspicious behaviors or anomalies.
• Scan system backups for registry persistence.
• Scan system backups for other malware infections.
• Disable macros in MS® Office programs and never enable them unless it is absolutely essential to do so.