The Maze group has been one of the subtlest hacking group in recent history.
Maze was a hacking group targeting organizations worldwide across many industries.
It has recently announced the stop of its activity.
Maze had developed a ransomware which encrypts the data of the devices infected
Security experts believe that Maze had operated via a black-hat hacking community. There, its developers had shared their proceeds with various groups that had deployed Maze in organizational networks.
The damage made by Maze did not limit to violation of a given system, regrettably. Maze has proved for taking advantage of assets in one network to move laterally to other networks.
What made Maze extremely dangerous is that it exfiltrated stole encrypted data to servers controlled by malicious hackers. They threaten to release it if a ransom is not paid.
Learn about more about its techniques, targets, and other operational details below!
The Maze ransomware: what is it
Maze Team operates opportunistically mainly against targets concentrated in United States and Europe.
The only exception is for those in the Commonwealth of Independent States (CIS). This thus suggests that its operators could operate from those geographical areas.
Instead, the actor has no particular preference for targeted sectors.
Over time, in fact, the group targeted organizations and companies operating in many industries. They include manufacture, finance, aviation, automotive, transportation, government, NGO, hospitality, healthcare, and energy.
How it works
The ransomware encrypts all the user files by using both ChaCha and RSA algorithm. For each encrypted file, the malware appends to its name a random-generated extension, keeping the old one.
The malware then associates the victim’s device to a specific virtual ID. So, the threat actor could demand for a ransom.
That’s how extortion takes place, in brief.
Once the actual installation of the Maze ends, this ransomware is able to detect the vulnerabilities of the system infected.
Moreover, a few days after infection, it starts disseminating on lateral networks of the infected system.
Meanwhile, it creates backdoors and may other vulnerabilities on the infected machine, should the user notice its implantation. By doing so, it could resist initial mitigation measures.
For more info about indicators of compromise, you may read our Cyber Threat Intelligence report here.
Conclusion: the ashes of Maze and how to defend from ransomware attack
The group has claimed to have ceased its activities.
The actual threat of Maze-like infections has not ended, however.
The Ragnar Locker seem to continue the activities of the original organization. They may have carried out the attack against Campari at the end of last year.
Threats similar to it such as Egregor have been proliferating.
How can you defend from this kind of threats, then?
Encryption and backup of date are key step to achieve protection in the business and the private spheres alike.
Multi-factors protocols could help, too.
Last but not least, Telsy makes available to its clients, the most updated vaccines to deal with the popular versions of the Maze malware.