Share Blog Post
Maze, the infamous ransomware first spotted in May 2019, has been wreaking havoc on organizations around the globe. Cyware has created this resource to collect and share live updates on the latest Maze Ransomware-related alerts, attacks, indicators of compromise (IOCs), and other relevant threat intelligence. We are actively working to keep this page updated and accurate in order to ensure that it is timely and relevant to as many people as possible.
_______________________________________________________________________________________
(September 17, 2020)
Maze ransomware is using a new tactic to evade detection
The Maze ransomware operators have adopted a tactic previously used by the Ragnar Locker gang; to encrypt a computer from within a virtual machine. The virtual machine would mount a host's drives as remote shares and then run the ransomware in the virtual machine to encrypt the share's files.
Source - Bleeping Computer
_______________________________________________________________________________________
(September 12, 2020)
Fairfax County schools targeted by Maze ransomware
Fairfax County Public Schools (FCPS) was recently hit by ransomware according to an official statement. The attack on FCPS was already claimed by the Maze ransomware operators who have already leaked 2% (an archive of roughly 100MB) of what they claim to be data stolen from the Virginia school division's servers.
Source - Bleeping Computer
_______________________________________________________________________________________
(September 3, 2020)
The Leon Fat hit by Maze ransomware
The construction group Leon Grosse has been affected by the Maze ransomware, which has previously been shown to have also raged at Bouygues Construction. The company indicates a gradual return to normal of its IT equipment and services.
Ref - Le Monde Informatique
_______________________________________________________________________________________
(August 26, 2020)
Ransomware attacks doubled with Maze on the top
Cybersecurity firm Seqrite said that ransomware attacks have doubled year-on-year in the first quarter of this financial year to 400,000, largely due to the absence of robust cybersecurity measures. According to the report, the “Maze” has been the top ransomware threat to enterprises in the past one year.
Ref - Economic Times
_______________________________________________________________________________________
(August 26, 2020)
The SunCrypt ransomware revealed more info about the Maze ransomware cartel
Ransomware named SunCrypt has joined the 'Maze cartel,' and with their membership, now these groups are working together. In June, the Maze threat actors created a cartel of ransomware operations to share information and techniques to help each other extort their victims.
Ref - Data Breaches
_______________________________________________________________________________________
(August 26, 2020)
Ventura Orthopedics hit by Maze and Conti-Ryuk ransomware
On August 2, Maze ransomware operators had added Ventura Orthopedics to their leak site. The threat actors also uploaded an archive of files allegedly taken from the practice’s server and claimed it was 5% of the files exfiltrated. Now on Aug. 25, Conti-Ryuk had created a leak site that also listed Ventura Orthopedics as their victims.
Ref - Data Breaches
_______________________________________________________________________________________
(August 24, 2020)
Top VPN bugs exploited used by ransomware gangs
Over the course of 2020, VPNs quickly rose as the new attack vector among ransomware gangs, with Citrix network gateways and Pulse Secure VPN servers being their favorite targets. Per SenseCy, gangs like REvil (Sodinokibi), Ragnarok, DoppelPaymer, Maze, CLOP, and Nefilim have been seen using Citrix systems vulnerable to bug CVE-2019-19781 as an entry point for their attacks.
Ref - ZDNet
_______________________________________________________________________________________
(August 21, 2020)
Hoa Sen Group hit by Maze ransomware operators
A leak disclosure post has been published by the Maze ransomware operators that claim the hack of the Hoa Sen Group. Maze ransomware operators claim to be in possession of the company’s sensitive data and are threatening to release it. They leaked 1.64 GB of files that correspond to 5% of the overall stolen data.
Ref - Securityaffairs
_______________________________________________________________________________________
(August 20, 2020)
“SK Hynix” hit by Maze ransomware crew
The Maze hacker gang claims it has infected computer memory maker SK Hynix with ransomware and leaked some of the files it stole. A 570MB ZIP archive is provided as a download from the Maze site. It is supposedly just five percent of the total amount siphoned from SK Hynix, which suggests 11TB was stolen by the gang after breaking into the corp's networks.
Ref - The Register
_______________________________________________________________________________________
(August 14, 2020)
Maze operators published data stolen from Canon
Canon apparently didn’t pay up as previously believed after it fell victim to a Maze ransomware attack. On the site where Maze leaks data from its conquests, attackers said that they would release five percent of the data stolen from Canon during the late July attack, and a 2.2 GB file labeled STRATEGICPLANNINGpart62.zip has indeed been published.
Ref - SCMagazine
_______________________________________________________________________________________
(August 5, 2020)
Canon hit by Maze ransomware operators
Canon has suffered a ransomware attack that impacts numerous services, including Canon's email, Microsoft Teams, USA website, and other internal applications. The image[.]canon site suffered an outage on July 30, 2020, and over six days, the site would show status updates until it went back in service on August 4. The hackers stole ten terabytes of data and private databases.
Ref - Bleeping Computer
_______________________________________________________________________________________
(August 4, 2020)
Maze group publishes tens of GBs of internal data from LG and Xerox
The operators of the Maze ransomware have published today tens of GB of internal data from the networks of enterprise business giants LG and Xerox following two failed extortion attempts. The hackers leaked 50.2 GB they claim to have stolen from LG's internal network, and 25.8 GB of Xerox data.
Ref - ZDNet
_______________________________________________________________________________________
(July 31, 2020)
Lectra’s data now leaked by Maze operators
Earlier, the Maze ransomware operators allegedly targeted Lectra, a french tech company worth an annual revenue of $329 million. Now, the ransomware group has started to leak its breached data.
Ref - Cyble Inc.
_______________________________________________________________________________________
(July 31, 2020)
Regis Aged Care Pty Ltd. hit by Maze ransomware
Maze ransomware operators allegedly targeted Regis Aged Care Pty Ltd, one of the largest providers of aged care in Australia. The firm worth annual revenue of $449.92 million, and they published a part of the total data leak.
Ref - Cyble Inc.
_______________________________________________________________________________________
(July 28, 2020)
Avenu Insight hit by Maze ransomware
Maze ransomware has breached "Avenu Insight," a data & analytics firm. The firm has a revenue of $26 million, and the total employees are 134. The maze website posted no zip folder as proof, as the proof section was mentioning “coming soon.”
Ref - Twitter
_______________________________________________________________________________________
(July 28, 2020)
“Lectra” hit by Maze ransomware group
Maze ransomware has breached "Lectra," a technology company headquartered in Paris. The firm has revenue: 277 million euros and 1650 employees. It operates in 34 countries with 34 subsidiaries.
Ref - Twitter
_______________________________________________________________________________________
(July 27, 2020)
Haldiram breached by Maze ransomware group
Maze ransomware has breached Haldiram, a chain of Indian food stores. The firm has a revenue of $938 million and 450 employees. The maze website was showing a folder named “DATASHAREONLY.7z.”
Ref - Twitter
_______________________________________________________________________________________
(July 25, 2020)
Strata Plus hit by Maze ransomware group
The Australian strata management company Strata Plus appears to have been hit by a gang using the Maze ransomware that can wreak havoc on Windows systems. The gang has used the Maze website to provide an indication that it has carried out an attack but says proof will only be available later.
Ref - IT Wire
_______________________________________________________________________________________
(July 25, 2020)
Maze operators breached new victims
Maze ransomware breached 3 new victims: Thai Beverage Public Company Limited (Southeast Asia's largest beverage company), Information Connectivity Solutions Limited (provider of premium broadband network infrastructure), and Egypt Yellow Pages Online (online business telephone directory).
Ref - Twitter
_______________________________________________________________________________________
(July 24, 2020)
Three new victims of Maze ransomware
Maze ransomware operators are claiming to have struck several organizations which include Martin Appliance, Florsheim Homes, and Bayley Construction. Maze operators seem to publish their data soon.
Ref - Twitter
_______________________________________________________________________________________
(July 23, 2020)
Maze ransomware attack on VAMontanaHCS affected 1,501 patients
Montana VA Health Care System recently began notifying 1,501 patients that their personal data was exposed through a ransomware attack on the Department of Veterans Affairs' former billing and collections contractor. The billing and collections company reported the incident to HHS on June 26 as affecting a total of 274,837 individuals, which included the 1,501 from Montana.
Ref - Twitter
_______________________________________________________________________________________
(July 23, 2020)
Napa Transportation Inc. hit by Maze ransomware
Maze ransomware group has breached two firms Napa Transportation Inc. (Trucking company in Cumberland County) and Alpha Guardian (provides a full lineup of premium security solutions to include portable cases and steel security cabinets).
Ref - Twitter
_______________________________________________________________________________________
(July 22, 2020)
Walkers Shortbread hit by Maze ransomware
Maze ransomware operators claim to have targeted Walkers Shortbread, Scotland's biggest exporter of food with over 4,000 employees in 15 locations. Currently, Maze operators claim to have uploaded 5% of the total data leak.
Ref - Twitter
_______________________________________________________________________________________
(July 22, 2020)
New victims of Maze ransomware group
Maze ransomware is active again and has come up with 7 new victims: Northern Wholesale Jacitara, Eurofins Scientific, Bazinet Taylor, Walkers Shortbread, the U.S. Auto Parts Network, Inc and Readerlink Distribution Services, LLC.
Ref - Twitter
_______________________________________________________________________________________
(July 22, 2020)
Readerlink Distribution Services hit by Maze operators
Maze ransomware operators claim to have struck Readerlink Distribution Services, North America’s largest full-service book distributor. Maze group indicated that it will publish the company's data soon.
Ref - Twitter
_______________________________________________________________________________________
(July 22, 2020)
Eurofins Scientific hit by Maze ransomware group
Eurofins Scientific is breached by Maze operators. The firm has over 47k employees and a revenue of 4.5 billion euros. Another firm named “Readerlink Distribution Services'' is also breached by a Maze group.
Ref - Twitter
_______________________________________________________________________________________
(July 18, 2020)
Channel Fusion hit by Maze ransomware
Maze ransomware operators claimed Channel Fusion as a victim. Founded in 2003, Channel Fusion specializes in providing custom channel marketing technology solutions and high touch channel support concierge services.
Ref - Twitter
_______________________________________________________________________________________
(July 18, 2020)
Karmsund Maritime Offshore breached by Maze operators
Maze ransomware group claimed a small fish from Norway as the victim. Maze says proof of a hack on Karmsund Maritime Offshore Supply is coming soon. The firm has 600k dollars as revenue and 3 employees.
Ref - Twitter
_______________________________________________________________________________________
(July 18, 2020)
Cybersoft Technologies Corp hit by Maze ransomware
Maze ransomware crew claimed Cybersoft Technologies Corp as a victim. The ransomware attack could have impacted all clients. Cybersoft Technologies Corporation is an Information Technology Company.
Ref - Twitter
_______________________________________________________________________________________
(July 17, 2020)
New victims of Maze ransomware
Maze ransomware has now leaked 5% data of 5 new victims: Scienter Technologies (Pte) Ltd., Cybersoft Technologies, Karmsund Maritime Offshore Supply AS, and along with two other firms.
Ref - Twitter
_______________________________________________________________________________________
(July 17, 2020)
Lee & Associates, LLC hit by Maze ransomware
Lee & Associates, LLC, that provides commercial real estate services, is now breached by Maze ransomware. The firm has an estimated annual revenue of $300m dollars and more than 1000 employees.
Ref - Twitter
_______________________________________________________________________________________
(July 17, 2020)
Comhar Inc. breached by Maze operators
Comhar Inc. (that serves a spectrum of mental and developmental disabilities) has been breached by the Maze operators and their 5% data was leaked online. The firm is founded in 1975 and headquartered in Philadelphia.
Ref - Twitter
_______________________________________________________________________________________
(July 15, 2020)
“X-Fab” shut down its worldwide production due to Maze infection
The Erfurt-based semiconductor manufacturer “X-Fab” has to shut down its production for two weeks. The reason was, among other things, an infection with the ransomware Maze. Both office IT and wafer production were affected.
Ref - KCBD
_______________________________________________________________________________________
(July 15, 2020)
Japanese organizations started to be targeted by Maze ransomware
Japanese organizations started to be targeted by the two-stage extortion type of ransomware by a group called "MAZE". It steals a copy of data before encrypting the files. It is also called "double blackmail" because it threatens to reveal all the information unless the victim pays the ransom.
Ref - Twitter
_______________________________________________________________________________________
(July 15, 2020)
Maze ransomware group started leaking data after three days
Maze ransomware is keeping its word and releasing data of companies after a maximum of 3 days, no more delays. It released 100% of MJ Brunner data showing that they gained the domain’s admin access. Data seems to be above a hundred gigabytes and contains confidential files & credentials.
Ref - Twitter
_______________________________________________________________________________________
(July 14, 2020)
Tatematsu Mold Works Co Ltd. hit by Maze ransomware
Maze ransomware operators claim to have targeted Tatematsu Mold Works Co Ltd, which has the world's largest mold network support customers. Currently, they claim to have uploaded 5% of the total data leak.
Ref - Twitter
_______________________________________________________________________________________
(July 14, 2020)
Maze ransomware group targets new victims
Maze ransomware operators have published information about 3 new victims: Simply Mail Solutions (a leading cloud solutions provider), Tatematsu Mold Works Co., Ltd. (that manufactures special dies, tools, jigs, and fixtures), and the third as Upland Software (develops enterprise work management software for cloud).
Ref - Twitter
_______________________________________________________________________________________
(July 11, 2020)
Factor One Source FAST Pharmacy hit by Maze ransomware
MAZE ransomware now claimed to breach a pharmacy company. The targeted firm is “Factor One Source FAST Pharmacy” (https://fosrx.com). It has 40+ employees for revenue of $100 million.
Ref - Twitter
_______________________________________________________________________________________
(July 10, 2020)
Maze group announce new tactics in their press release
Maze group has stated in its latest press release that they will now contact partners and regulators after a breach if negotiation failed. They will start publishing after 3 days. No more delays or favors, maze says "we are not psychologist."!
Ref - Twitter
_______________________________________________________________________________________
(July 10, 2020)
Burton Lumber hit by Maze ransomware
Maze ransomware crew claims “Burton Lumber” as a victim. Founded in 1911 and headquartered in Salt Lake City, Utah. Burton Lumber distributes building material and supplies. It has 350 employees and 189m revenue.
Ref - Twitter
_______________________________________________________________________________________
(July 10, 2020)
VOXX International breached by Maze operators
Maze ransomware crew claims to have breached Voxx International. The firm “VOXX International” is a global manufacturer and supplier of automotive and consumer electronic products. It has 885 employees and 507m revenue.
Ref - Twitter
_______________________________________________________________________________________
(July 10, 2020)
Maze operators hacked Argus Management
Maze ransomware claimed Argus Management as a victim. The firm “Argus Management Company”, dba Argus Medical Management, provides physician practice management services in the Greater Long Beach area. It has 300 employees and 76m of revenue.
Ref - Twitter
_______________________________________________________________________________________
(July 10, 2020)
X-FAB GMBH hacked by Maze ransomware crew
Maze ransomware crew claims X-FAB GMBH as a victim. Founded in 1998 in Erfurt, Germany, XFAB offers analog/mixed-signal and MEMS foundry group manufacturing. It has $581m in revenue and 4k employees.
Ref - Twitter
_______________________________________________________________________________________
(July 10, 2020)
BDL Capital Management hacked by Maze operators
Maze ransomware claimed the Paris-based financial service firm BDL Capital as a victim. BDL Capital Management is an AMF-approved company managing two funds invested in listed European equities: BDL Rempart Europe BDL Convictions. It has 21 employees and 4m revenue.
Ref - Twitter
_______________________________________________________________________________________
(July 10, 2020)
TSL Companies breached by Maze group
Maze ransomware crew claims Nebraska-based logistics company TSL as a victim. TSL manages and organizes end-to-end transportation of goods, and is dedicated contact for all operations around the world. It has 18 employees and 3m revenue.
Ref - Twitter
_______________________________________________________________________________________
(July 10, 2020)
MI Metals Inc. hacked by Maze operators
Maze ransomware crew claims MI Metals Inc. as a victim. Founded in 1983 and headquartered in Oldsmar, Florida, MI Metals, Inc. is an aluminum extrusion manufacturing company. It has 120 employees and 100m revenue.
Ref - Twitter
_______________________________________________________________________________________
(July 10, 2020)
Atlanta Computer Group breached by Maze operators
Maze ransomware crew claimed Atlanta Computer Group as a victim. Atlanta Computer Group, Inc. is a Computer & Office Equipment Wholesaler with four companies in the corporate family. It has 35 employees and $9m in revenue.
Ref - Twitter
_______________________________________________________________________________________
(July 10, 2020)
Maze operators breached multiple entities
The maze ransomware group claims to have breached the following entities: BDL Capital Management, Phillips Law Firm, Inc., TSL Companies, and Atlanta Computer Group, Inc. All firms had their 5% data published.
Ref - Twitter
_______________________________________________________________________________________
(July 9, 2020)
A large amount of Xerox’s data leaked by Maze operators
Earlier, Xerox firm was hacked by the Maze ransomware group. Now, the attackers encrypted their data after receiving a copy of the data. Around, 100 GB of data has been leaked from the company, and the attackers are demanding ransom not to release it.
Ref - Twitter
_______________________________________________________________________________________
(July 7, 2020)
Maze ransomware sample contain personal threats and taunts
Strings with personal threats and taunts targeting several researchers in the industry were found embedded into samples of Maze ransomware, analyzed by Sophos Labs in May. Initial samples of Maze were tied to fake websites loaded with exploit kits.
Ref - Twitter
_______________________________________________________________________________________
(July 6, 2020)
De Moya Group, Inc. hit by Maze group
The De Moya Group, Inc, a civil construction company, has been hit by Maze ransomware operators. They leaked phone numbers, fax, and physical location information on their website (where they post and leak data). As proof, they also posted a two zip folder named as work.zip and precom.zip.
Ref - Twitter
_______________________________________________________________________________________
(July 6, 2020)
Unilac SA’s data leaked by Maze operators
Unilac SA, located in Argentina and Industrial Hygiene Services, is breached by Maze ransomware operators. In their attack, several other companies were also affected and their data was leaked on the Maze website.
Ref - Twitter
_______________________________________________________________________________________
(July 4, 2020)
Tri-Boro Construction hit by Maze ransomware
Maze ransomware operators have breached Pennsylvania-based “Tri-Boro Construction” and leaked 5% of their data as a proof of hack. The website where data was leaked, is showing phone number, and address related information. The website was also showing a folder named “Info.zip.”
Ref - Twitter
_______________________________________________________________________________________
(July 4, 2020)
Ptarmigan Media breached by Maze operators
Maze ransomware operators claim Ptarmigan Media as a victim. The “Ptarmigan Media”, the PR company for financial services, has around 109 employees with 144m revenue. The leaked information included phone numbers, physical addresses, email addresses, and client information along with info.zip file.
Ref - Twitter
_______________________________________________________________________________________
(July 3, 2020)
Bennett Automotive Group hit by Maze ransomware
Maze ransomware operators claim to target Bennett Automotive Group, one of the renowned car dealers based in the USA. The leaked information included phone numbers, addresses, and other information.
Ref - Twitter
_______________________________________________________________________________________
(July 3, 2020)
Engineering Consultants Group hit by Maze ransomware
The Engineering Consultants Group, one of the leading engineering consultancy firms, was allegedly targeted by Maze ransomware operators. The leaked information includes phone number, address, fax, and email.
Ref - Twitter
_______________________________________________________________________________________
(July 2, 2020)
Maze ransomware operator leaks data stolen from National Highways Authority of India
Maze ransomware operators have leaked the data of the National Highways Authority of India (NHAI), an autonomous agency of the Government of India. The Maze’s website where the data was posted and leaked was showing two zip folders named as AKGoyalShared.zip and Chairman_Chamdra.zip.
Ref - Twitter
_______________________________________________________________________________________
(July 2, 2020)
Maze operators hit new victims
The maze operators started the publication of compromised data in regards to the following entities: American Osteopathic Association, Medical Management, Inc., and National Highways Authority of India. Only 5% of data of all the hacked entities was leaked according to Maze ransomware operators.
Ref - Twitter
_______________________________________________________________________________________
(July 2, 2020)
Maze ransomware hit the American Osteopathic Association
Maze ransomware operators claim to target the American Osteopathic Association, an organization representing more than 151,000 osteopathic physicians and medical students across the USA.
Ref - Twitter
_______________________________________________________________________________________
(July 1, 2020)
Maze group published screenshots to show that “Xerox Corporation” is hacked
Maze ransomware operators have breached the systems of the Xerox Corporation and stolen files before encrypting them. The company did not disclose the cyberattack, but the Maze ransomware operators have published some screenshots that show that a Xerox domain has been encrypted. One screenshot shows that hosts on “eu.xerox.net,” managed by Xerox Corporation, was hacked.
Ref - Security Affairs
_______________________________________________________________________________________
(June 30, 2020)
National Highways Authority attacked by Maze operators, the company claims no data loss
The National Highways Authority of India (NHAI) said a cyberattack took place on its email server but prompt action resulted in no data loss. As a precaution, the Authority had shut down the server. According to NHAI Chief “, No data loss took place.” NHAI data lake and other systems remained unaffected from this attack.
Ref - IndiaTimes
_______________________________________________________________________________________
(June 30, 2020)
Innotech-Execaire hit by Maze ransomware
Maze ransomware operators allegedly struck Innotech-Execaire Aviation Group, a leading provider of aviation and technical support solutions to business aircraft, and claimed to have uploaded 5% of the total data leaked. The maze website was showing three zip folders; Lean.zip, NDT_Private.zip, and Planning.zip.
Ref - Twitter
_______________________________________________________________________________________
(June 30, 2020)
Maze operators announce the invasion of CPFL networks
Ransomware Maze announces intrusion into the networks of CPFL and other companies. The Maze Ransomware group has declared successful exploitation of many organizations, including CPFL, and has released massive data on a public website. They posted information on their website indicating that the network of the power distribution company CPFL, based in Campinas, SP, has been compromised.
Ref - MinuteodaseGuranca
_______________________________________________________________________________________
(June 30, 2020)
Manson Construction Co. hit by Maze ransomware
Maze ransomware operators have breached Manson Construction Co., a provider of marine construction services. They also breached the Innotech-Execaire Aviation Group, a leading provider of aviation and technical support solutions to business aircraft OEMs, owners, and commercial airlines.
Ref - Twitter
_______________________________________________________________________________________
(June 29, 2020)
VirtualGuard hit byMaze ransomware
Maze ransomware crew claims Nevada-based VirtualGuard as a victim. The firm “VirtualGuard” provides physical security systems and the staff to monitor them. Proofs include accounting information. The website (where leaked data is posted) showing a zip folder named as “Accounting.zip.”
Ref - Twitter
_______________________________________________________________________________________
(June 29, 2020)
OWL Underwriting data leaked by Maze operators
Maze ransomware crew claims “OWL Underwriting” as a victim. OWL has not paid the ransom and Maze is threatening to leak data from the hack. OWL is an MGA and wholesale insurance broker with an international reach in the Marine market. The maze website was showing two zip folders named as Accounting.zip and Common.zip.
Ref - Twitter
_______________________________________________________________________________________
(June 29, 2020)
Ostermeier FZE become a victim of Maze ransomware
Maze ransomware crew claims Ostermeier FZE, a Dubai-base industrial engineering firm, as a victim. Ostermeier FZE has not paid the ransom. So Maze is threatening to leak. Proofs of hack include account info and other docs. The maze website was showing a two zip folder as Docs.zip and Accounts.zip.
Ref - Twitter
_______________________________________________________________________________________
(June 26, 2020)
Caldwell Toyota hit by Maze ransomware
Maze ransomware operators claimed to breach the Caldwell Toyota dealership (@CaldwellToyota). The Maze operators also provided some accounting information as proof for the leaks. The automobile film “Caldwell Toyota” has 251 employees and 48m revenue.
Ref - Twitter
_______________________________________________________________________________________
(June 26, 2020)
Maze operator leaks data after the “WorldNet” refused to pay
The Maze ransomware operators claimed to breach the “WorldNet Telecommunications” (Puerto Rican ISP and Telecom) sometimes ago. At that time they exfiltrated data and encrypted their machines. After that, no ransom was paid so now Maze has leaked the data. They posted a zip file named as “ssn.zip” on their website.
Ref - Twitter
_______________________________________________________________________________________
(June 25, 2020)
Maze ransomware hit Club Fitness franchises in Missouri
Maze team has claimed a few Club Fitness franchises in Missouri as victims. Victims were hacked and encrypted, but no ransom was paid. Now they have leaked some data from the business. The website (where Maze operators publish stolen info) was showing phone numbers and addresses of gym members.
Ref - Twitter
_______________________________________________________________________________________
(June 24, 2020)
Maze gang threatens to publish stolen data after the victim refuses to pay
The Maze ransomware gang has threatened to publish information stolen from “VT San Antonio Aerospace” because its victim refused to pay a demanded ransom. In a "press release" published on its leaks website, Maze raged against victims who refused to play it’s game and cough up vast sums of money to decrypt their illicitly encrypted data.
Ref - TheRegister
_______________________________________________________________________________________
(June 24, 2020)
Maze operators hit three organizations
Maze ransomware operators claim to breach three well-established organizations: WorldNet Telecommunications (located in Puerto Rico), Columbus Metro Federal Credit Union (Federal credit union in Whitehall, Ohio), and Webuild SpA (Italian industrial group). Although, the Twitter handle @AuCyble that posted the screenshots on Twitter, says that it could not confirm the authenticity of these leaks.
Ref - Twitter
_______________________________________________________________________________________
(June 24, 2020)
Maze ransomware published a press release about the reaction on attack
In a Twitter post, the creators of the Maze ransomware published a press release with advice on how victims should react to an attack. The press release of the Maze team was taken up in a Twitter post published by the Shadow Intelligence group, which, among other things, also reports the news of a violation of the electronics giant LG.
Ref - CyberSecurity360
_______________________________________________________________________________________
(June 24, 2020)
Xerox Corporation hit by Maze ransomware
Maze ransomware operators now hit Xerox Corporation, an American corporation that sells print and digital document products and services in more than 160 countries. Along with this attack, two other organizations were also hit identified as “WorldNet Telecommunications”
and “Columbus Metro Federal Credit Union.”
Ref - Twitter
_______________________________________________________________________________________
(June 23, 2020)
Maze ransomware published a press release
Maze Ransomware published a press release in which they explain how victims should pay instead of hiring security companies. As per Maze, spending money by the company to decrypt files themselves would not help them in any case. In the Press Release, Maze detail and talks of their 4 previous targets.
Ref - Twitter
_______________________________________________________________________________________
(June 23, 2020)
Maze operators claimed to breach LG
Maze ransomware official press release claimed that they will soon reveal how the LG company (South Korean multinational electronics company headquartered in Yeouido-dong, Seoul) has lost the source code of its products for a large telecommunications company, which works worldwide.
Ref - Twitter
_______________________________________________________________________________________
(June 23, 2020)
Maze operators showing examples of failed negotiation
Maze ransomware group is specifically detailing about 4 companies (ST engineering, MaxLinear, Conduent, M.J.Brunner) for their failed negotiation and how they lost data. Some of the firms had hired "negotiators" and failed. They also stated that “Conduent is due to a leak but right now there is a lack of time.”
Ref - Twitter
_______________________________________________________________________________________
(June 20, 2020)
Maze operators stole credit card details of Cognizant employees
A ransomware attack targeted Cognizant’s system in April 2020. Now it is revealed that the most critical data that has been stolen by the threat actors are the corporate credit card details of Cognizant. As per reports, there are a few associates whose other kinds of personal information have been exposed and they will be notified directly by June 24, 2020.
_______________________________________________________________________________________
(June 20, 2020)
Mark's Plumbing & Parts hit by Maze ransomware
Mark's Plumbing & Parts is America's is breached by the Maze operators. The affected firm is known to be the largest plumbing parts online retailer with 88m in revenue and 109 employees. The Maze has taken credit for the hack and has leaked 800+MB of proofs, including accounting and business docs.
Ref - Twitter
_______________________________________________________________________________________
(June 20, 2020)
Thailand's provincial electric authority attacked by Maze ransomware
Maze ransomware is claiming to have targeted Thailand's provincial electric authority. They provided proof that includes 8.5GB of compressed documents from the hack and there may be more to come. The website was showing three zip folders named as Manager1.zip, Manager2.zip, and Main6.zip.
Ref - Twitter
_______________________________________________________________________________________
(June 20, 2020)
Namecheap is hosting the Maze group domain
A Twitter user with handle Nordchan (@nordchanman) claimed that popular domain name registrar “Namecheap” is aiding cyber-terrorist gang "MAZE" ransomware in leaking confidential files to the Internet by hosting their domain name mazenews[dot]top.
Ref - Twitter
_______________________________________________________________________________________
(June 18, 2020)
Maze ransomware gang demanded ransom from the wrong company
The Maze ransomware gang has screwed up by targeting a New York design and construction firm named “CSA group”, instead of the Canadian Standards Association (CSA) it was intending to hit. The firms have almost the same name and domains: csagroup[.]com belongs to the New York Agency, while the Canadian standards agency has the domain name csagroup[.]org, which lead to a mixup of names.
Ref - TheRegister
_______________________________________________________________________________________
(June 18, 2020)
Maze operators come up with six new victims
Maze operators have come up with six new victims. Some of the targeted organizations include Wix Way (an automotive company), and Bauhaus Furniture Group (a furniture industry), and four other firms.
Ref - Twitter
_______________________________________________________________________________________
(June 18, 2020)
J W Smith Customs Broker hit by Maze ransomware
J W Smith Customs Broker has been hit with ransomware by Maze ransomware crew. No ransom was paid so Maze is preparing to leak data from the breach. Many logistics companies have been hit by ransomware recently. The maze’s website contained a zip folder named as “AndrewS.zip.”
Ref - Twitter
_______________________________________________________________________________________
(June 18, 2020)
CSA group become a victim of Maze ransomware
Maze ransomware claims standards company CSA group as a victim on their leak site. CSA Group was founded in 1919 to provide product testing and certification. CSA has 1.9b in revenue and 2000 employees. The Maze’s website shows three zip files as part1.zip, part3.zip, and sp_db.zip.
Ref - Twitter
_______________________________________________________________________________________
(June 18, 2020)
New victims of Maze ransomware
Maze operators just targeted new victims. Targeted victims include; Cincinnati Red Dog Pet Resort & Spa (a dog daycare center in Cincinnati), CSA Group (a standards organization), and Midwest Fresh (a food production firm).
Ref - Twitter
_______________________________________________________________________________________
(June 18, 2020)
Readerlink Distribution Services hit by Maze ransomware
Readerlink Distribution Services was hit with Maze ransomware. Now Maze is threatening to leak data if demands of ransom are not fulfilled. The book distributor has more than 2000 employees and over 1B in revenue. The maze’s website was showing four zip folder as Clients.zip, DirectDeposits2018-2020.zip, Clients2.zip, and eBanking.zip.
Ref - Twitter
_______________________________________________________________________________________
(June 16, 2020)
Comwave hit by Maze ransomware
The operators behind the Maze have allegedly struck Comwave, Canada's most affordable telecommunications company. Among the leaked data, there were three zip files named BDocs.zip, BDocs.z01, and BDocs.z02.
Ref - Twitter
_______________________________________________________________________________________
(June 16, 2020)
MaxLinear Inc. breached by Maze operators
Maze ransomware operators have allegedly struck MaxLinear Inc, a well-established American hardware company. The ransomware operators claim to have more than 1TB of the company's sensitive data. Among the leaked data, there were three zip files named as Finance1.zip, Finance1.z01, and Accounting1.zip.
Ref - Twitter
_______________________________________________________________________________________
(June 16, 2020)
Ansen Corporation’s data leaked online
Maze ransomware operators have allegedly struck Ansen Corporation’s, an electronics manufacturing services provider. The firm is located in the U.S and operating since 1982. Along with this breach, two other firms (Comwave and MaxLinear Inc.) were also breached by Maze operators.
Ref - Twitter
_______________________________________________________________________________________
(June 15, 2020)
The city of Knoxville may be hit by Maze ransomware
The city of Knoxville, Tenn. is reeling from a ransomware attack that knocked the city’s network offline and prevented police officers from responding to non-life-threatening traffic crashes. Based on ransomware groups’ current activity levels and past victim profiles, the most likely suspects for this attack are probably Maze, DoppelPaymer, and NetWalker; all of which exfiltrate and publish data.
_______________________________________________________________________________________
(June 12, 2020)
Ragnar group published data hacked by Maze
Just after creating a ransomware cartel with Maze operators, Ragnar group publishes on his portal, the data on the company ST Engineering, which was hacked by the Maze Team. Earlier, the Maze group claimed to have stolen 1.5 TB worth of unencrypted files to pressurize the firm into paying their ransom.
Ref - Twitter
_______________________________________________________________________________________
(June 12, 2020)
Threadstone Advisors hit by Maze ransomware
Ransomware gang, Maze, strikes again. This time, the victim is a US-based independent advisory firm specializing in the consumer and retail sectors. They have a number of big clients including businesswoman and former Spice Girl, Victoria Beckham. Maze’s official Dark Web blog lists Threadstone Advisors, LLC as one of their victims following an attack within the last 24 hours.
Ref - TradingBTC
_______________________________________________________________________________________
(June 10, 2020)
Maze ransomware targets new victims
Maze ransomware published two new victims for Latin America, and again Brazil. The affected electricity sector and government entities exposed sensitive information. The first is Domingos Martins and the second is CPFL Energia SA.
Ref - Twitter
_______________________________________________________________________________________
(June 10, 2020)
RagnarLocker joins Maze ransomware syndicate
The ransomware syndicate created by the operators of the Maze ransomware has added another group to its ranks. The operators of the LockBit ransomware were the first group to join Maze's ransomware syndicate but now another competing ransomware group named RagnarLocker has joined as well.
Ref - BenoKoriesBlog
_______________________________________________________________________________________
(June 10, 2020)
Maze operators posted several new victims
Maze operators again come up with an attack and this time they targeted a big list of firms. They leaked data belongs to Domingos Martins, Daily Thermetrics, John Christner Trucking, FERSPED Inc., Mead O'Brien, Inc., United Enertech, Collabera, Muñoz Engineering P.C., Ahmed Almazrouei Group and many more.
Ref - Twitter
_______________________________________________________________________________________
(June 8, 2020)
Conduent firm hit by Maze ransomware
A multi-billion-dollar IT services firm has become the latest victim of the infamous Maze ransomware group after it appeared to target a widely publicized Citrix vulnerability. The company said that the incident resulted in only “partial interruption” to its services for customers, and an ongoing investigation has been undertaken, by looping in “internal and external security forensics and anti-virus teams.”
Ref - InfoSecurity Magazine
_______________________________________________________________________________________
(June 8, 2020)
Hackers stole confidential information from Westech International.
Cybercriminals have stolen confidential information from Westech International (a defense contractor). Westech International has confirmed that it been breached and that its computers have been encrypted. A number of news outlets are saying Westech International’s computers were encrypted with the MAZE ransomware.
Ref - ReportCyberCrime
_______________________________________________________________________________________
(June 6, 2020)
Maze gang sharing its public shaming website with other groups
The Maze gang has apparently opened its public shaming website to other groups, who are now able to publish their copied data there. There is also similar news from the blackmail crew around REvil. Maze published data on the gang’s own leak website. The group confirmed the cooperation and also announced that it wanted to share its own platform in the ransomware business with another group.
Ref - OwlySec
_______________________________________________________________________________________
(June 5, 2020)
VT San Antonio Aerospace hit by Maze ransomware
The Maze Ransomware gang breached and successfully encrypted the systems of VT San Antonio Aerospace, as well as stole and leaked unencrypted files from the company's compromised devices in April 2020. During the attack, Maze claims to have stolen 1.5 TB worth of unencrypted files to be used as leverage to pressure the ST Engineering subsidiary into paying their ransom.
Ref - BleepingComputer
_______________________________________________________________________________________
(June 4, 2020)
Maze operators breached two firms
MazeRansomware breached two debt collectors, the first is TekCollect (36m) and the second one is AmerAssist (47m). No ransom was paid so they are preparing to leak data exfiltrated from the breach. It could be expected that the leak may contain personally identifiable information (PII).
Ref - Twitter
_______________________________________________________________________________________
(June 4, 2020)
Maze ransomware operators target Conduent Inc. & UNAMIC
As usual Maze ransomware operators add another data breach to their name. In this instance, they breached Conduent Inc & Unamic, which comes in the list of leading information technology and services providers. This data leak includes the company’s insurance documents, Multiple Vehicles Lease Details, Audit Discussion results, along with other stolen data.
Ref - CybleINC
_______________________________________________________________________________________
(June 2, 2020)
LockBit may start leaking data through Maze's leak site
A recent Maze ransomware leak (where they leaked database belonging to “Smith Group”) was provided by LockBit. It seems that Maze and LockBit have enough of a relationship that LockBit may start leaking data through Maze's leak site.
Ref - Twitter
_______________________________________________________________________________________
(June 2, 2020)
Smith group’s data leaked by the maze ransomware operators
The Maze ransomware operators have been on a roll in leaking databases. Recently they, leaked confidential data of around five organizations. Now they have come up with leaking data of another well-established organization. In this instance, they breached Smith Group, which is one of the leading architecture companies around the globe.
Ref - Cybleinc
_______________________________________________________________________________________
(June 2, 2020)
Maze operators dropped seven leaks
Recently maze ransomware operators dropped seven leaks. That's a record high. Here are the victim’s names: Bossini(<1m), Faxon Machining(30m), GCL System Integration Technology(1.2B), Critical Control Energy Services(24m), Seats Inc(338m), Grupo Cocenzo, and Smith Group(256m).
Ref - Twitter
_______________________________________________________________________________________
(June 1, 2020)
Kerr Controls Ltd hit by Maze ransomware
As usual Maze ransomware operators add another data breach (around 3GB data) to their name. In this instance, they breached Kerr Controls Ltd, a well-established wholesale distributor of a leading wholesale distributor of heating, ventilation, air conditioning, and refrigeration (HVACR) materials for residential and commercial markets.
Ref - Cybleinc
_______________________________________________________________________________________
(June 1, 2020)
Maze ransomware developers partnering with other threat actor groups
As MAZE ransomware operates under an affiliate model and is distributed by multiple threat actors, it is able to expand its operations widely across different geographical regions and industry sectors. An affiliate model is a business model where ransomware developers would partner with other threat actor groups who are responsible for distributing the malware and share the profit (via ransom).
Ref - CSA
_______________________________________________________________________________________
(May 29, 2020)
MAZE ransomware working and defense mechanisms
Bitdefender malware researchers have documented how MAZE ransomware works, what defense mechanisms it employs to stay hidden, and how it unleashes its destructive behavior on the target system. The white paper outlines how to defeat the evasion techniques built into the MAZE ransomware.
Source - InfoSecurity Magazine
_______________________________________________________________________________________
(May 29, 2020)
MAZE ransomware introduced the new way to extort victims
An extra way has been introduced by the developers of the Maze ransomware to create leverage against victims of ransomware. To have some leverage over these organizations, the ransomware attackers steal data from the infiltrated system while they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay. Depending on the kind of data, this can be a rather compelling reason to give in.
Source - MalwareBytes
_______________________________________________________________________________________
(May 29, 2020)
Mercury Insurance Group hit by Maze ransomware
Maze ransomware operators have leaked the data from Mercury Insurance Group. More than 300GB of data of several renowned organizations, including AIC Underwriters, Madison Insurance, Accident Insurance, Appalachian Underwriters, American Builders Insurance, Applied Underwriters, Cornerstone Underwriting, and US Administrator Claims was dumped online.
Ref - Twitter
_______________________________________________________________________________________
(May 28, 2020)
RDP is the most common and prominent attack vector used by ransomware actors
Group-IB's whitepaper details that even big-league players like Ryuk, LockerGoga, REvil, MegaCortex, Maze, or Netwalker are using common intrusion methods such as RDP simply because the access to servers with an open port is easy to get from marketplaces. The FBI also stated that RDP is the most common method ransomware actors use for access to the victim network.
Ref - BleepingComputer
_______________________________________________________________________________________
(May 22, 2020)
Banco BCR bank’s data (Part 3) leaked by Maze operators
Maze Ransomware Group has published a new press release addressed to the “Banco BCR” bank where it published credit card details. This leaked data was quoted as part three of the leak that belonged to the “Banco BCR” bank.” The leaked data contained 2GB worth of credit card information.
Ref - Twitter
_______________________________________________________________________________________
(May 21, 2020)
Maze operators targeted several law firms in the last six months
In nearly six months, at least seven law firms have been infiltrated by ransomware. Of the attacks, hacker groups Maze and REvil have taken responsibility for them all. The “Maze” represents an evolution from the old attacks law firms faced. They have adjusted their strategies, by infiltrating original files and backups through remote access “backdoors” and hijacking administrative controls.
Ref - LAW
_______________________________________________________________________________________
(May 20, 2020)
Universal Windows & Door data leaked by Maze operators
Maze operators now leaked data belongs to Universal windows & Door LLC., a Window supplier in Marlborough. Part 1 of leaked data was a pair of zips of random files to show that Maze operators did have some data. Probably lots of client info, employee info, and order info in the full thing.
Ref - Twitter
_______________________________________________________________________________________
(May 20, 2020)
Optimara’s data leaked online by Maze operators
Optimara, a leader in the African Violet business for over 60 years, is targeted by Maze operators. This fresh data leak from the breach is now online. The leaked data includes an access database and domain admin information. The leaked data was compressed in zip folders named as “DomainAdmin.zip” and “Greenmdb.zip.”
Ref - Twitter
_______________________________________________________________________________________
(May 19, 2020)
CERT of the National Cryptologic Center issued a “Maze” Harmful Code Report
The CERT of the National Cryptologic Center (CCN-CERT) has published the CCN-CERT ID-14/20 “Maze” Harmful Code Report. This collects the analysis of the sample of harmful code belonging to the “Maze” family of ransomware, whose objective is to encrypt the files of the infected systems to subsequently request the payment of a ransom in exchange for the decryption tool.
Ref - CCN-CERT
_______________________________________________________________________________________
(May 18, 2020)
Ransomware earlier seen with Maze now targeting healthcare organizations
The FBI has issued a security alert earlier this month (April 2020) about a new ransomware strain named ProLock that has been deployed in intrusions at healthcare organizations. It's been seen before with Ryuk and Maze ransomware strains being installed on computers previously infected with TrickBot, and with DopplePaymer strains being dropped on computers infected with Dridex malware.
Ref - ZDNet
_______________________________________________________________________________________
(May 16, 2020)
Andrew Cross & Co hit by Maze ransomware
Andrew Cross & Co falls into the trap of Maze ransomware operators. In this instance, they breached the database of the company and then leaked their data online. Andrew Cross & Co was been established in the year 1969. It is an independent firm of chartered accountants who today continue to build a reputation for providing excellent advice and first-class service to their business and personal clients alike.
Ref - Cybleinc
_______________________________________________________________________________________
(May 16, 2020)
Maze operators leaked data of Italian architect, American property manager, and an English accountant
Recently, operators of maze ransomware leaked data of Italian architect, an American property manager, and an English accountant. Their data was just leaked on the dark web by the Maze Ransomware crew. The leaked information was mostly PII (Personally Identifiable Information).
Ref - Twitter
_______________________________________________________________________________________
(May 15, 2020)
Maze ransomware targeted Hydro Resources Holding
Once again Maze ransomware operators have been seen in action, and this time they trap a well-known groundwater exploration and production organization. In this instance, they targeted Hydro Resources Holding. Founded in the year 1999, Hydro Resources is uniquely qualified and positioned to provide a comprehensive range of groundwater construction services.
Ref - Cyblenic
_______________________________________________________________________________________
(May 14, 2020)
A security firm revealed a complete timeline of Maze ransomware infection
Based on Cisco Talos Incident Response engagements, a Maze ransomware incident timeline might look like this: Day 0 - 6: initial compromise, Day 7 - 13: additional active reconnaissance, Day 14 - 21: utilizing stolen credentials, Psexec or WMIC is executed on the victim’s domain controllers. It then spreads, taking down the network, creating havoc for the company to deal with.
Ref - TalosIntelligence
_______________________________________________________________________________________
(May 14, 2020)
Banxico and Banco De Costa Rica suffered Maze attack in the same way
Banco de México (Banxico) reported the detection of a possible cyber attack. Although the financial resources of the financial institution were not compromised, there was the theft of information related to the Internet banking systems and interbank transfers. This attack happened in the same way Banco De Costa Rica was attacked by maze ransomware, suggesting that same hackers are behind this attack.
Ref - CiberTip
_______________________________________________________________________________________
(May 14, 2020)
Maze ransomware put pressure on the victims and persuade them to pay the ransom
SophosLabs, a security firm, has made available a new report that deepens the techniques implemented by the Maze ransomware to put pressure on the victims and convince them to pay the ransom. The report also revealed that the total cost for the recovery of encrypted data during a ransomware attack doubles when companies decide to pay the ransom to cybercriminals.
Ref - Comunicati
_______________________________________________________________________________________
(May 13, 2020)
Maze ransomware’s double extortion tactic adopted by other ransomware families
In Nov. 2019, the Maze ransomware began a new tactic of not only demanding a ransom for a decryptor but also demanding a second ransom for not to publish files stolen in an attack. Since then, almost all network-targeting ransomware families such as Maze, Sodinokibi, DopplePaymer, Clop, Sekhmet, Nephilim, Mespinoza, and Netwalker have adopted this practice.
Ref - BleepingComputer
_______________________________________________________________________________________
(May 12, 2020)
Three groups are behind Maze ransomware
Based on their observations, the Mandiant teams of FireEye distinguished three “groups” exploiting Maze, or rather three different profiles of attackers according to their techniques and tactics. One of them refers to the FIN6 group, also called Skeleton Spider. The other two, not disclosed in the report, rely on network services exposed on the Internet, and the use of accounts with compromised identifiers.
Ref - LemaGit
_______________________________________________________________________________________
(May 12, 2020)
Maze ransomware is active for more than a year
It’s been a year since the Maze ransomware gang began its rise to notoriety. Aside from the gang’s adjustments in initial compromise approaches, the Maze group has risen in prominence largely because of its extortion tactics: following through on threats of public exposure of victims’ data in public “dumps” of victims’ stolen data, and offering victim data on cybercrime forums if no payment is made.
Ref - Sophos
_______________________________________________________________________________________
(May 12, 2020)
A Belgian accounting firm attacked by Maze ransomware
The people behind the Maze ransomware, which infects Windows systems, have hit the Belgian firm “HLB.” Numerous documents from the company have been leaked online. These include business contracts, accounts statements, confidential memos, and other general documents. The group's global site appears to be down, indicating that it may have been the avenue for the Maze attack.
Ref - ITWire
_______________________________________________________________________________________
(May 11, 2020)
Pitney Bowes takes hit as the next target of Maze ransomware
The global technology provider Pitney Bowes has been targeted by the Maze ransomware. The Maze group has released screenshots belonging to the company's systems. These screenshots include lists of staff folders, clients, accounts, management policies, training, etc.
Source - iTWire
_______________________________________________________________________________________
(May 10, 2020)
Maze ransomware attacks two US-based enterprises
Two American organizations have been recently targeted by the Maze ransomware operators. One of them is a wire manufacturing company named Southeastern Wire, while the other one is Koller Craft LLC, a manufacturer of manufacturer injection molded plastic components.
Source - IB Times
_______________________________________________________________________________________
(May 10, 2020)
Maze ransomware continues its threatening campaigns
Maze ransomware is usually delivered via spam emails having malicious Exel and Word attachments. But in recent campaigns, it was observed being delivered via exploit kits named Spelevo. It has also been levering vulnerabilities in Flash Player (CVE-2018-15982 and CVE-2018-4878), Internet Explorer (CVE-2018-8174) and Pulse VPN (CVE-2018-1150)
Source - E Hacking News
_______________________________________________________________________________________
(May 9, 2020)
Maze ransomware’s attack on Cognizant will have an impact for several months
After being targeted by the Maze group, Cognizant is expected to face its aftermaths for several months. Besides the direct losses to the business, the company is also expected to incur some expenses in legal consultancy, investigation, service restoration, and remediation of the breach. Theft of sensitive information targets for mergers and acquisitions, profit and loss reports, as well as medical records, is also expected to have a negative impact on the overall ecosystem of cognizant.
Source - Business Insider
_______________________________________________________________________________________
(May 8, 2020)
An uptick in Maze Ransomware Samples Observed Across Multiple Industries
A threat assessment post was prepared by Palo Alto Networks for the recent Maze ransomware activities. According to this, the ransomware is usually distributed via emails containing weaponized Word or Excel attachments. But recently, it has also been distributed via exploit kits such as the Spelevo Exploit Kit, using a variety of vulnerabilities.
Source - Palo Alto Networks
_______________________________________________________________________________________
(May 8, 2020)
What Cyber Security Companies like FireEye Are Learning From Maze Ransomware
According to the forensic data collected from recent incidents, Maze group is not a single group but a series of distinct teams, each having different specialties. One team is involved in developing the malware, another distributes it and, when the victim pays a ransom, the developers get a commission.
Source - CyberScoop
_______________________________________________________________________________________
(May 8, 2020)
Maze Ransomware Obfuscation Techniques Detailed Out
The obfuscation techniques used by the Maze DLL have been revealed. Usually, the Maze ransomware is in DLL form and loaded into memory through a loader component. It uses several obfuscation techniques, including hidden API calls with opaque predicates, hidden return with push + JMPs EAX (WinApi), hidden ‘memcpy’ calls, fake calls and opaque predicates with intermediate jumps and junk code.
Source - Blueliv
_______________________________________________________________________________________
(May 8, 2020)
Maze Ransomware costs Cognizant $50-$70 million in Q1
After being hit with the Maze ransomware, Cognizant expects a negative impact on its business. After knowing about the ransomware attack, some of the company's clients opted to suspend the access to Cognizant's network. The company’s revenues are expected to the reduced by $50-$70 million, and the remediation costs could spread beyond Q2.
_______________________________________________________________________________________
(May 7, 2020)
Maze Ransomware - the biggest data threat to organizations
Maze ransomware has been targeting organizations since its inception in May 2019. Any the victim company’s choice to pay the ransom depends upon factors like the cost of loss of trade secrets, damage to the brand image, possible lawsuits, and imposition of fines, etc. In the time of this pandemic, ransomware like Maze poses a massive disruption to some of the vital services like healthcare.
Source - ForumIAS
_______________________________________________________________________________________
(May 7, 2020)
MAZE Claims Ransomware targets US Egg Supplier Sparboe
The Maze group has published data on its shaming website, which it claims to belong to the Minnesota egg supplier Sparboe. According to Maze, Sparboe’s system was attacked on May 1, 2020, and the threat group had shared a zip file of data-carrying information on current and former employees as proof.
Source - Infosecurity Magazine
_______________________________________________________________________________________
(May 7, 2020)
TTPs Associated With MAZE Ransomware Incidents Disclosed
Since November 2019 more than 100 alleged MAZE victims reported by various media outlets and on the MAZE website. Victims are primarily based in North America, and belong to almost every industry sector. Initially, MAZE ransomware was distributed directly via exploit kits and spam campaigns, and later adopted deploying the ransomware post-compromise methodology.
Source - Fireeye
_______________________________________________________________________________________
(May 6, 2020)
Maze Ransomware Group Hacks Two Plastic Surgeons
The Maze group recently took credit for hacking a plastic surgeon named Kristin Tarbet, as well as the Ashville Plastic Surgery Institute. The hackers have already leaked highly sensitive data, patient’s social security numbers, and other sensitive information, belonging to Kristin Tarbet.
_______________________________________________________________________________________
(May 6, 2020)
Maze Ransomware Operators enhance their strategies
Maze ransomware operators recently revealed the group's inner workings about how they pressurize their victims into paying the ransom. In Jan 2020, the Maze group was the first one to use the “shaming” website to leak to stolen data in case their ransom demand is not met. Maze group now looks for data to cause reputational and regulatory harm to their victims.
Source - DarkReading
_______________________________________________________________________________________
(May 6, 2020)
Dakota Carrier Network data leaked by Maze Group
A few days ago, Maze ransomware gang had hacked and encrypted the information from Dakota Carrier Network (DCN)'s customer network. When DCN refused to pay the ransom amount, hackers published stolen information from DCN online.
Source - KFYR-TV
_______________________________________________________________________________________
(May 6, 2020)
Maze group threaten to release 11m card numbers from Banco CBR
The Maze ransomware group claims that it has obtained around 11m card numbers from the Banco BCR bank, and has again threatened to leak the sensitive details. The group has already publicly disclosed the complete information about the bank’s internal networks as a proof of hack. Next, it threatens to publish the details about the bank’s internal processing operations.
Source - ITWire
_______________________________________________________________________________________
(May 5, 2020)
Maze Ransomware attacks the labs and hospitals fighting Coronavirus
During the early stages of Covid-19, several hacking groups had pledged not to target hospitals and medical organizations. But the Hammersmith Medicines Research, that was researching the vaccines, was being targeted by the Maze ransomware. Maze had also targeted the Affordacare Urgent Care Clinic at the beginning of April 2020.
Source - Tripwire
_______________________________________________________________________________________
(May 5, 2020)
Maze Ransomware Yara rules published
A Twitter user with the handle ‘@kgbuquerin’ has posted a Yara rule to detect maze ransomware. The Yara rule includes several hashes and strings associated with Maze ransomware.
Source - Twitter
_______________________________________________________________________________________
(May 5, 2020)
Toll Group & AFFCO struck cyber threat
The Australian transportation and logistics company Toll Group and New Zealand meat company Affco has been hit with a ransomware attack. Due to the attack, Toll Group was having trouble with its email system, while Affco has had problems with its payroll and ability to receive orders. In March 2020, Toll Group was targeted by the Maze ransomware, and it is thought to be the threat this time again.
Source - Newsroom
_______________________________________________________________________________________
(May 5, 2020)
Maze Group leaks more information after Banco BCR ignores them
According to the images posted by Twitter handle ‘@Bank_Security’, the Maze group has posted another press release, stating that Banco BCR ha still not taken any action against the data security even after a repeated warning. The post also says that by doing this, the company is ignoring and may be violating the PCI-DSS norms.
Source - Twitter
_______________________________________________________________________________________
(May 4, 2020)
Techniques used by the ransomware Maze disclosed
The new research details out the control flow flattening, along with the obfuscation techniques and opaque predicates used by a Maze loader sample. The ransomware Maze is usually seen in DLL form, and it is loaded into memory through a loader containing the encrypted DLL.
Source - Security Boulevard
_______________________________________________________________________________________
(May 4, 2020)
Ransomware like Maze causing 15 Days of Electronic Healthcare (EHR) Downtime
The average ransom amount paid by the organizations targeted by ransomware has jumped 33 percent to nearly $112,000 between the last quarter of 2019 and the first quarter of 2020. Ransomware like Sodinokibi, DopplePaymer, Ryuk, and Maze are causing 15 days of EHR downtime. The median ransom payment reached $44,021 in Q1, up slightly from Q4.
Source - Healthitsecurity
_______________________________________________________________________________________
(May 3, 2020)
Maze Ransomware details and attack summary
Some details about the Maze ransomware, along with a brief summary of the recent attacks, have been published. According to this, Maze ransomware had attacked the IT Giant Cognizant, but the company has not revealed any details about when and how exactly the attackers invaded the networks.
Source: Sesin
_______________________________________________________________________________________
(May 2, 2020)
Maze Ransomware Attacks Network Service Provider
Dakota Carrier Network (DCN) has suffered a Maze ransomware attack in April. Hackers had stolen some DCN administrative data and published it on the Web. But the company’s fiber-optic network was apparently not impacted by the attack.
Source - MSSPAlert
_______________________________________________________________________________________
(May 1, 2020)
Maze Ransomware attack on Cognizant may impact customers
Cognizant had admitted being targeted by Maze ransomware a few days ago, and now the company says it is in communication with its customers about the preventive measures, and sharing the indicators of compromise (IOCs) and other technical information to be used for defensive purposes.
Source - CPOMagazine
_______________________________________________________________________________________
(May 1, 2020)
Maze Ransomware uses complex obfuscated control flow
Crowdstrike has come up with a deep technical analysis on the Maze ransomware, detailing the obfuscated control flow and IDA navigation bar of the Maze binary. It also provides information about the usage of jump instructions and the opcodes by the ransomware developers for obfuscation.
Source - Crowdstrike
_______________________________________________________________________________________
(May 1, 2020)
Updates about how Maze ransomware targeted Hammersmith Medicines Research
In March 2020, Hammersmith Medicines Research was attacked by the Maze Team, and its data was locked out. At that time, HMR duly notified research volunteers about the breach. But the recent audit trail shows that the entire volunteer database was not accessed by the hackers. Only the visitors who had attended a screening visit were impacted by the breach.
Source - DataBreaches
_______________________________________________________________________________________
(May 1, 2020)
Maze ransomware team claim to hack Banco BCR
Maze ransomware team claim to have gained access to Banco BCR's network in Feb 2020, to gain access to the transaction system and steal 11 million credit card details. As a proof, they had posted around 240 credit card numbers (removing lasts four digits), along with expiration date and CVV numbers.
Source - Bleepingcomputer
_______________________________________________________________________________________
(May 1, 2020)
Maze ransomware operators warn Banco BCR
A Tweet posted by Cyble suggests that in Feb 2020, Maze Team was able to breach the internal networks of Banco BCR, and had held over 11 million credit card credentials belonging to 140,000 US citizens. According to the Tweet, in August 2019 also, Maze Team had breached the security of Banco BCR and accessed the payment processing systems. But Banco BCR did not update their security, leading to this hack.
Source - Twitter
_______________________________________________________________________________________
(May 1, 2020)
Maze ransomware crew stole 11 Million credit cards in Feb 2020
According to a post made by the user ‘Under the Breach’, during the month of Feb 2020, Maze ransomware group had stolen 11,000,000 credit cards, 4,000,000 of which were unique. Out of these, 140,000 records belong to US citizens.
_______________________________________________________________________________________
(April 27, 2020)
More IOCs for Maze ransomware disclosed by a researcher
A Twitter user with the handle ‘@surajeet_ghosh’ has posted some Indicator of Compromise (IOCs) related to Maze ransomware. These IOCs include MD5 hash and few URLs related to the Maze ransomware.
Source - Twitter
_______________________________________________________________________________________
(April 29, 2020)
Detailed technical analysis of Maze ransomware
A detailed technical analysis of the Maze ransomware has been published. It provides a telemetry map of recently targeted victim countries and also shows how Maze developers are disabling disassemblers and using pseudocode plugins to make the analysis yet more complex. It also covers IOCs and Yara rules to detect and prevent Maze attacks.
Source - Marketerintel
_______________________________________________________________________________________
(April 29, 2020)
Maze and other ransomware strikes more healthcare organizations
The King of Prussia, PA-based pharmaceutical company ExecuPharm recently disclosed that it had experienced a Maze ransomware attack in March. Some company information, as well as the personal data of employees, has also been accessed and exfiltrated by the attackers. Besides, Brandywine Counselling and Community Services in Delaware and the Parkview Medical Center in Pueblo, Colorado, were also impacted by unknown ransomware attacks.
Source - Hipaajournal
_______________________________________________________________________________________
(April 28, 2020)
How to reduce ransomware risk - Microsoft Threat Protection Intelligence Team
Microsoft Threat Protection Intelligence Team provided an analysis of various active ransomware threats, including Maze. It also suggests some immediate response actions to be taken by organizations during active attacks, and ways of developing security hygiene to defend networks against human-operated ransomware.
Source - Microsoft
_______________________________________________________________________________________
(April 28, 2020)
Ransomware payments increase by 33% in Q1 2020, as Maze and Sodinokibi proliferate
Cyber attack trends from the first quarter of 2020 indicate that spam attacks related to the COVID-19 outbreak have led to an increase in ransomware attacks across the board. The average ransom payment has increased by 33%. Maze, Sodinokibi, DopplePaymer, and Mespinoza were among the top ransomware variants that exfiltrated data regularly.
Source - Coveware
_______________________________________________________________________________________
(April 28, 2020)
CERT-In issues warning over the ‘Maze’ ransomware
The Indian Computer Emergency Response Team (or CERT-In) recently issued a warning about the Maze ransomware. According to CERT-In, emails and exploit kits are the common delivery methods for ransomware, and it also provided guidelines for preventing the attack from such ransomware attacks.
Source - Sakaltimes
_______________________________________________________________________________________
(April 28, 2020)
Maze ransomware poses 3x risk to businesses
Traditional ransomware locks down the target victim’s data, impacting only the data availability. But the Maze ransomware poses a triple risk, threatening the Availability, Confidentiality, and Integrity, which are the three most important principles of data protection.
Source - Cyberhoot
_______________________________________________________________________________________
(April 27, 2020)
Maze ransomware a significant threat to healthcare
Maze ransomware is turning out to be a significant factor in healthcare attacks. So far, the Maze attacks on the healthcare sector have been observed only through pandemic-related phishing emails, targeting victims via malicious attachments. Interpol has advised to healthcare service providers around the world about threats of Maze attacks.
Source - Barracuda
_______________________________________________________________________________________
(April 27, 2020)
New IOCs for Maze ransomware disclosed by a researcher
A Twitter user with the handle ‘@surajeet_ghosh’ has posted some Indicator of Compromise (IOCs) related to Maze ransomware. These IOCs include MD5 file hashes and IP Addresses associated with the Maze ransomware.
_______________________________________________________________________________________
(April 27, 2020)
Details about Maze ransomware attacks revealed
A report has been published, providing information about the recent attacks by Maze ransomware. Besides the details about the attack, the report also provides some IOCs related to the Maze ransomware.
Source - ITCSecure
_______________________________________________________________________________________
(April 24, 2020)
Cognizant hit by Maze ransomware - Deep technical analysis
CyberInt has released a detailed report with key findings, technical analysis, and Mitre Mappings for the Maze Ransomware’s attack on Cognizant last Friday. Technical analysis includes details about all the files and DLLs used by cybercriminals during the attack, along with their IOCs.
Source - Cyberint
_______________________________________________________________________________________
(April 23, 2020)
Detailed guidelines for defending against Maze ransomware
Quick Heal Technologies Ltd. has come up with a guidebook for prevention against the deadly Maze ransomware. Besides the guidelines for patching against the targeted vulnerabilities in IE and Adobe Flash player, it also points out the precautionary measures for users & privileges security, network, and shared folder security, email security, secure browsing, backups as well as employee training.
Source - Quickheal
_______________________________________________________________________________________
(April 23, 2020)
Some employees of Cognizant lost email access after Maze attack
Cognizant’s internal directory was deleted after the Maze ransomware attack, leading to a communications loss inside and outside the company, limiting some workers from contacting customers. Following the attack, the software used to communicate across its system was cut off, leaving sales teams with no means of communicating customers, and customers with no means of reaching sales teams.
Source - CRN
_______________________________________________________________________________________
(April 23, 2020)
New IOC hashes of Maze ransomware revealed
An Alien Vault portal user with the handle ‘nsmteam’ has posted Indicator of Compromise (IOCs) related to Maze ransomware. These IOCs include MD5 file hashes, that were posted on the Alien Vault portal.
_______________________________________________________________________________________
(April 23, 2020)
Known URLs of Maze ransomware disclosed
An Alien Vault portal user with the handle ‘nsmteam’ has posted Indicator of Compromise (IOCs) related to Maze ransomware. These IOCs include URLs, that were posted on the Alien Vault portal.
_______________________________________________________________________________________
(April 23, 2020)
Maze ransomware was lurking in Cognizant networks for weeks
Maze hit IT services provider Cognizant last week, but it's likely the malware was lurking in the networks for weeks. While an investigation is underway, there's no way of knowing whether Maze's operators will publish stolen files. The liability of a data breach is dangling over Cognizant and its clients.
Source - CioDive
_______________________________________________________________________________________
(April 22, 2020)
Maze Group targets 12 new victims
As per a Twitter post by the user ‘Under the Breach’, Maze ransomware group has updated his website with 12 new victims, mostly insurance companies. The victims, according to the Twitter posts, include US Administrator Claims, LLC, RCSOnlinePrograms, Madison Insurance Group, Jackson Plaza, Applied Underwriters, Inc. American Builders Insurance Company, Appalachian Underwriters, AEGPEO, AIC Underwriters, LLC, Accident Insurance Company, Inc., and 1itp.
Source - Twitter
_______________________________________________________________________________________
(April 22, 2020)
Prediction on Maze Ransomware-Hosting Infrastructure
Some new IOCs have been revealed, which are thought to be associated with the Maze Ransomware. These are suspected to be used by the Threat Actor TA2101 for recent attacks
Source - Alienvault
_______________________________________________________________________________________
(April 21, 2020)
Defending Against Maze Ransomware
Cyber Security company Seqrite recently released a detailed guide about prevention from Maze ransomware. It covered the use of exploit kits (Fallout EK, Spelevo EK) as well as some Adobe Flash player and Internet Explorer vulnerabilities (e.g. CVE-2018-8174, CVE-2018-4878, and CVE-2018-15982).
Source - Seqrite
_______________________________________________________________________________________
(April 21, 2020)
Cognizant still assessing the damage due to Maze attack
Cognizant said that it is still working with third-party security consultants and law enforcement officials to assess the damage done by the ransomware attack on Friday. In the early stages of assessment, they have shared the available indicators of compromise and other technical information of a defensive nature with the assessing officers.
Source - InfoRiskToday
_______________________________________________________________________________________
(April 21, 2020)
Maze ransomware Command and Control Services identified
An Alien Vault portal user with the handle ‘nsmteam’ has posted Indicator of Compromise (IOCs) related to Maze ransomware. These IOCs include the command and control (C2) servers, that were posted on the Alien Vault portal.
_______________________________________________________________________________________
(April 21, 2020)
Maze ransomware attack on Cognizant’s may affect its revenue
The ransomware attack on Cognizant can affect its revenue and going to cause disruption in parts of its business process. Many experts believe that attackers behind Maze ransomware trying to gain backdoor access to the MSPs so they can benefit more by asking big ransom.
Source - BusinessInsider
_______________________________________________________________________________________
(April 20, 2020)
Maze Ransomware Update: Extorting and Exposing Victims
In a recent attack on Cognizant, Maze campaign included a signed DLL payload (kepstl32.dll), and dropped a copy of the ransom instructions “DECRYPT-FILES.txt”. Maze ransomware then deletes the shadow copies via WMIC.exe. Relevant Digital Signature details were also revealed in the report.
Source - Sentinelone
_______________________________________________________________________________________
(April 19, 2020)
McAfee provides insights and IOCs for Maze ransomware
McAfee has released a detailed analysis of Maze ransomware. The security firm released a blog, with a detailed analysis of recent samples related to the Maze ransomware along with all indicators of compromise, and recommendations to help protect the network environment.
Source - Mcafee
_______________________________________________________________________________________
(April 19, 2020)
Maze operators are continuously using the same PDB string
A tweet by security researcher Vitali Kremez disclosed that operators behind the Maze ransomware continue to use the PDB string as messages with the Cognizant signed loader DLL variant. The signed DLL is mocked as: “Digital Cert->[GO ONLINE d.o.o.] #Sectigo.” Along with this DLL, the associated sample PDB string message ("C:\Wuhan\lab\coronashit.pdb") was also revealed.
Source - Twitter
_______________________________________________________________________________________
(April 18, 2020)
The same PDB string was used by Maze ransomware in earlier COVID-19 related attack
The malware sample used in the Cognizant attack was having a PDB string message as follows: "C:\Wuhan\lab\coronashit[.]pdb." This PDB string was signed by the same signer who used to sign other samples too, which were related to "Suspicious COVID 19 maps - hacked sites." The signed Maze dll sample kepstl32[.]dll was also uploaded by the researcher.
Source - Twitter
_______________________________________________________________________________________
(April 18, 2020)
Cognizant hit by 'Maze' ransomware attack
Cognizant Technology Solutions Corp said that it was hit by a “Maze” ransomware cyberattack, resulting in service disruptions for some of its clients. When first reported, the Maze operators had denied responsibility for the cyberattack. But it is assumed that the Maze operators are likely not discussing it at this early stage to avoid complications during the potential ransom repayment.
Source - Bleepingcomputer
_______________________________________________________________________________________
(April 18, 2020)
MalwareHunterTeam reveals cyberattack on Cognizant
Security Researcher Vitali Kremez’s Twitter account (@VK_Intel) posted an alert regarding ransomware attack carried out by the Maze group possibly affecting the IT giant Cognizant. A Github repository link with YARA rules was attached to the tweet. The tweet mentioned remote services as an attack vector used by cybercriminals behind Maze ransomware.
Souce - Twitter
_______________________________________________________________________________________
(April 18, 2020)
MalwareHunterTeam reports phishing attack on Cognizant’s employee
On Feb 1, 2020, the Twitter account of MalwareHunterTeam posted a tweet saying that one of the employees of Cognizant Technology Solutions Corp. had fallen victim to a phishing attack. The MalwareHunterTeam also suggested the employees check out the “I Got Phished” service.
Source - Twitter
_______________________________________________________________________________________
(April 18, 2020)
MalwareHunterTeam’s reminder to Cognizant
On 14 Feb 2020, another tweet was published MalwareHunterTeam, talking about no handler being assigned on ‘I Got Phished’ for Cognizant. Soon after this second tweet, someone from Cognizant registered and got the information about someone getting targeted and hacked via Phishing Attack.
Source - Twitter
_______________________________________________________________________________________
(April 14, 2020)
Maze ransomware targets two Manitoba law firms
Two unnamed law firms in Manitoba province in Canada were targeted by the Maze ransomware attack. Work at these two Manitoba law firms was put on standstill after cyberattacks left their staff without access to their computer systems, locking out digital files, emails and data backups.
Source - CBC
_______________________________________________________________________________________
(April 8, 2020)
Hammersmith Medicines Research’s info leaked by Maze operators
Hammersmith Medicines Research LTD (HMR), the drug testing firm based in London, disclosed that it was hit by Maze ransomware. The Maze group published some of the stolen files on their “leak site,” after the research firm refused to pay the ransom. The stolen data contained the personal details of volunteers who surnames start with D, G, I, or J.
Source - Security Affairs
_______________________________________________________________________________________
(April 6, 2020)
Groupement Berkine attacked by Maze ransomware
A Petroleum products company, Groupement Berkine, said that it became a victim of Maze ransomware attack on April 1, 2020. The cybercriminals behind this attack were able to steal the entire database including over 500 MB of confidential documents linked to budgets, production quantities, organizational strategies, and other data.
Source - HackRead
_______________________________________________________________________________________
(April 1, 2020)
The ‘Affordacare Urgent Care Clinic’ hit by Maze ransomware
A network of medical providers based in Texas, Affordacare Urgent Care Clinic, disclosed a combination of a data breach and ransomware attacks that exposed sensitive information. The ransomware behind this attack was Maze, and attackers had also leaked the stolen documents containing the patient info.
Source - ScMagzine
_______________________________________________________________________________________
(March 23, 2020)
COVID-19 Vaccine Test Center targeted By Cyber Attack
Hammersmith Medicines Research, a medical facility on standby to help test any coronavirus vaccine has been hit by a ransomware group that promised not to target medical organizations. The criminals behind the Maze ransomware attacks have struck again, stealing data from a victim and then publishing it online to get them to pay the ransom demanded.
Source - Forbes
Tags
Posted on: April 20, 2020
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
