Banner image


Maze Ransomware Mitigation Strategies in Light of Recent Attack

CyberProof CTI Team

Maze ransomware has attacked again, this time affecting a $30 Billion American IT services firm.

CyberProof CTI Team

Maze spreads through the network and locks out users while exporting data to the hackers’ servers. Historically, they would encrypt the data and demand ransom from organizations to recover it. Their techniques have morphed into threatening to publish sensitive data gathered during the attack.

The ransomware has used different attack vectors, such as sending malicious emails, using exploit kits, and attacking RDPs, to infect targeted companies around the world.


After the IT services firm was hit by Maze, the company notified its clients and provided them with related IoCs. A few hours after the attacks, a security researcher provided a YARA rule to detect the Maze ransomware DLL file.

Because of the way that Maze works, it is likely that it was present in the organization’s network for weeks, spreading slowly and stealthily throughout their system, and stealing files and credentials. Usually, once the threat actors obtain administrator credentials on the network, they deploy the ransomware – taking the first steps to encrypt data and publish a ransom note – using tools such as PowerShell Empire.

Maze Explained

Russian APT TA2101 is the cyber criminal operation responsible for Maze. When Maze originated, it was distributed via Fallout and Spelevo exploit kits, which exploited a vulnerability in Flash Player (CVE-2018-15982). Maze has also been distributed by means of malicious websites and through emails with malicious attachments, which were used to drop the ransomware’s payload.

Maze has also been detected stealing data through FTP servers by running commands in PowerShell. In some cases, the attackers first stole data from the organization’s cloud backups before encrypting the files.

Recently Maze operators have claimed responsibility on their official news website for dozens of ransomware attacks in which they demanded millions of dollars to decrypt the files. If they were not paid immediately, they published portions of the data they gathered on a Russian hacking forum.

They currently deny responsibility for the most recent attack, which follows previous precedent where they have not confirmed attacks or victims until negotiations stalled. It is possible that they will announce the attack soon and perhaps publish portions of the data they gathered, to pressure that organization into paying the ransom.

The operators published a press release this week offering tips to victims about how to act after they are attacked. The group claims to be open to price negotiations with companies that adhere to their rules.


A novel feature of this ransomware is that it customizes ransoms according to the type of device being attacked. It tries to detect if the device is a home computer, workstation, domain controller, server, etc. and then adjusts the size of the ransom accordingly.


Maze attacks have occurred in multiple countries, including the United States, the UK, Europe, the Middle East, and Asia. In the past week alone, approximately ten organizations -- both governmental and private companies -- were targeted in Maze ransomware attacks.


Maze operators have not halted attacks during the COVID-19 pandemic. Initially they claimed they would not target healthcare companies, but they recently attacked a vaccine testing facility in the UK.


UST Global through its subsidiary Cyberproof has worked to uncover IoCs and IoAs to actively hunt for evidences of this Maze variant and to provide data protection assistance to our customers.

Here are some of the mitigations that we recommend: