From targeted spear phishing strategies, to insidious malware campaigns, the tactics employed by cybercriminals continue to evolve in step with those who design defences for enterprise networks. In recent years it has become hard to read the news without being hit by a headline regarding ransomware. With demands for ever-increasing amounts of cryptocurrency, groups of threat actors, sometimes referred to as ransomware collectives, are targeting businesses both small to large with attacks designed to coerce payment using theft and threats.

Ransomware effectively steals company data by encrypting information and denying access to its owners. Under threats of releasing confidential material to the public or simply disrupting essential business processes, the hackers extort a ransom from their victims. One name in ransomware has cropped up recently time and time again, employing even bolder methods than its peers, and cutting a reputation for itself: Maze.

Who and what is Maze?

A cybercriminal group responsible for the ransomware named after it, Maze was first identified in May 2019 and shows no sign of slowing up its activities, as outlined by its recent attack on IT service giant Cognizant, costing the company over $70m (£55.5m).

Also known under the name ChaCha, Maze was initially observed to be an unexceptional example of ransomware that was related to online extortion campaigns. However, within six months, it had changed its shape, gaining a notoriety for more aggressive and public attacks. In November, taking steps previously unseen by almost every instance of malware to date, Maze started to publicly expose its targeted victims. If the companies refused to pay the requested ransom, Maze operators would post their names on an open-to-the-public site, often threatening them with samples of stolen data as proof of penetration.

Attack campaigns that utilise Maze ransomware commonly impersonate government agencies and other official bodies to encrypt and steal data files before attempting to extort payment from the information’s owner. Typically, Maze is employed as one element of a multi-pronged attack strategy. It has often been observed to appear in either the second or even the third step in such a campaign but is rarely involved in the initial method to obtain access.

How does Maze differ from other types of ransomware?

Ransomware has become more prevalent in the past five years and is now a prominent form of cyberattack. However, experts have noticed that for the most part, ransomware assaults have been typically one-dimensional up until now, with threat actors limiting attacks to encrypting data that is local to their mark’s targeted environment. Although this can still prove disruptive and problematic for its victims, particularly those without a dedicated IT security team, in many cases ransomware targets have successfully managed to decrypt their company information without conceding to cybercriminal demands.

In this respect, the functionality of Maze goes far beyond what is traditionally expected of ransomware tactics, employing a three-blow combination attack consisting of the “Three E’s” – Encrypt, Exfiltrate and Extort.

The profound difference between Maze and other kinds of ransomware being utilised lies in its capability to extract confidential encrypted data and to extort a payment from its victim. While other ransomware collectives are merely encrypting locally based victim data, actors using Maze can potentially apply far greater pressure to targets by intimidating them with threats of leaking sensitive material.

Threats from Maze should not be taken lightly. Cyber security specialists at Trend Micro have observed that ransomware groups employing Maze have not delivered empty threats. Instances have been confirmed where sensitive data belonging to victims was publicly leaked on dedicated sites online, established for this purpose. Originally rearing its ugly head in December 2019, this tactic comprises leaking and posting parts of confidential files or raw databases owned by victims that refuse to pay the ransom demanded.

The way Maze ransomware works

Varying types of malware will work in different ways, depending on the code they employ that instructs them what tasks to execute. Ultimately, ransomware only requires access to a system in order to work, which makes managing to obtain entry the largest part of its job.

While most other forms of ransomware commonly employ spam campaigns via email or social engineering to obtain illegal access to the targeted system, Maze ransomware instead uses exploit kits in drive-by downloads. Exploit kits are comprised of a collection of recognised software vulnerabilities that, when they come together, can serve as an exploit toolkit.

While there is nothing new about exploit kits or the use of them, their adoption in the world of ransomware is entirely unheard of except by Maze operators. One of such tools employed by Maze is dubbed “Fallout” and is a kit comprising various different exploits identified on GitHub, including the exploit CVE=2018-15982 in Flash Player. Rather than using the web browser to launch its payload, the relatively recent exploit kit Fallout employs PowerShell to complete the dump instead.

After obtaining access to an organisation’s systems, Maze will then encrypt data, locking barring access from its owner. It will then exfiltrate the encrypted data so it can threaten to leak it publicly and leave a digital note behind for victims, so they know how to make the requested payment.

Defending against Maze ransomware attacks

To safeguard themselves against attacks from Maze ransomware attacks, there are multiple steps organisations and institutions can take. Establishing offsite backups is essential so that if data is locked off, your firm can still function by restoring the required data if necessary. All your company computers should be employing the latest security solutions and implementing the most up-to-date patches available against any vulnerabilities newly discovered. Multifactor authentication protocols should be put in place and personnel should be well-trained on the tactics used by threat actors to penetrate companies so they can report suspicious activity.

One of the most effective defences against Maze ransomware attacks is encrypting your sensitive data. That’s why at Galaxkey, we have developed a secure platform for enterprises that is easy to use. With powerful end-to-end encryption whether your data is at rest or on the move, it will always be inaccessible to anyone without the required authorisation.