Maze: a short story of one of the most dangerous cyberthreats

The Maze group has been one of the subtlest hacking groups in recent history.

The maze was a hacking group targeting organizations worldwide across many industries.

It has recently announced the stop of its activity.

Maze had developed ransomware which encrypts the data of the devices infected.

Security experts believe that Maze had operated via a black-hat hacking community. There, its developers had shared their proceeds with various groups that had deployed Maze in organizational networks.

Maze’s damage did not limit to violation of a given system, regrettably. Maze has proved for taking advantage of assets in one network to move laterally to other networks.

What made Maze extremely dangerous is that it exfiltrated stole encrypted data to servers controlled by malicious hackers.  They threaten to release it if a ransom is not paid.

Learn more about its techniques, targets, and other operational details below!


The Maze ransomware: what is it

Maze Team operates opportunistically, mainly against targets concentrated in the United States and Europe.

The only exception is those in the Commonwealth of Independent States (CIS). This thus suggests that its operators could operate from those geographical areas.

Instead, the actor has no particular preference for targeted sectors.

Over time, in fact, the group targeted organizations and companies operating in many industries. They include manufacture, finance, aviation, automotive, transportation, government, NGO, hospitality, healthcare, and energy.


How it works

The ransomware encrypts all the user files using both ChaCha and RSA algorithms. The malware appends to its name a random-generated extension for each encrypted file, keeping the old one.

The malware then associates the victim’s device to a specific virtual ID. So, the threat actor could demand a ransom.

That’s how extortion takes place, in brief.

Once the actual installation of the Maze ends, this ransomware can detect the vulnerabilities of the system infected.

Moreover, a few days after infection, it starts disseminating on the infected system’s lateral networks.

Meanwhile, it creates backdoors and may other vulnerabilities on the infected machine, should the user notice its implantation. By doing so, it could resist initial mitigation measures.

For more info about compromise indicators, you may read our Cyber Threat Intelligence report here.


Conclusion: the ashes of Maze and how to defend from a ransomware attack

The group has claimed to have ceased its activities.

The actual threat of Maze-like infections has not ended, however.

The Ragnar Locker seems to continue the activities of the original organization. They may have attacked Campari at the end of last year.

Threats similar to it, such as Egregor, have been proliferating.

How can you defend yourself from this kind of threat, then?

Encryption and data backup are key steps to achieve protection in the business and the private spheres alike.

Multi-factors protocols could help, too.

Last but not least, Telsy makes available to its clients the most updated vaccines to deal with the popular versions of the Maze malware.