Live Updates: Maze Ransomware Attacks

Share Blog post

Maze, the infamous ransomware first spotted in May 2019, has been wreaking havoc on organizations around the globe. Cyware has created this resource to collect and share live updates on the latest Maze Ransomware-related alerts, attacks, indicators of compromise (IOCs), and other relevant threat intelligence. We are actively working to keep this page updated and accurate in order to ensure that it is timely and relevant to as many people as possible.

_______________________________________________________________________________________

(August 5, 2020)


Canon hit by Maze ransomware operators 

Canon has suffered a ransomware attack that impacts numerous services, including Canon's email, Microsoft Teams, USA website, and other internal applications. The image[.]canon site suffered an outage on July 30, 2020, and over six days, the site would show status updates until it went back in service on August 4. The hackers stole ten terabytes of data and private databases.


_______________________________________________________________________________________

(August 4, 2020)


Maze group publishes tens of GBs of internal data from LG and Xerox

The operators of the Maze ransomware have published today tens of GB of internal data from the networks of enterprise business giants LG and Xerox following two failed extortion attempts. The hackers leaked 50.2 GB they claim to have stolen from LG's internal network, and 25.8 GB of Xerox data.

Ref - ZDNet

_______________________________________________________________________________________

(July 31, 2020)


Lectra’s data now leaked by Maze operators

Earlier, the Maze ransomware operators allegedly targeted Lectra, a french tech company worth an annual revenue of $329 million. Now, the ransomware group has started to leak its breached data.


_______________________________________________________________________________________

(July 31, 2020)


Regis Aged Care Pty Ltd. hit by Maze ransomware

Maze ransomware operators allegedly targeted Regis Aged Care Pty Ltd, one of the largest providers of aged care in Australia. The firm worth annual revenue of $449.92 million, and they published a part of the total data leak.


_______________________________________________________________________________________

(July 28, 2020)


Avenu Insight hit by Maze ransomware

Maze ransomware has breached "Avenu Insight," a data & analytics firm. The firm has a revenue of $26 million, and the total employees are 134. The maze website posted no zip folder as proof, as the proof section was mentioning “coming soon.”

Ref - Twitter

_______________________________________________________________________________________

(July 28, 2020)


“Lectra” hit by Maze ransomware group

Maze ransomware has breached "Lectra," a technology company headquartered in Paris. The firm has revenue: 277 million euros and 1650 employees. It operates in 34 countries with 34 subsidiaries.

Ref - Twitter

_______________________________________________________________________________________

(July 27, 2020)


Haldiram breached by Maze ransomware group

Maze ransomware has breached Haldiram, a chain of Indian food stores. The firm has a revenue of $938 million and 450 employees. The maze website was showing a folder named “DATASHAREONLY.7z.”

Ref - Twitter

_______________________________________________________________________________________

(July 25, 2020)


Strata Plus hit by Maze ransomware group

The Australian strata management company Strata Plus appears to have been hit by a gang using the Maze ransomware that can wreak havoc on Windows systems. The gang has used the Maze website to provide an indication that it has carried out an attack but says proof will only be available later.

Ref - IT Wire

_______________________________________________________________________________________

(July 25, 2020)


Maze operators breached new victims

Maze ransomware breached 3 new victims: Thai Beverage Public Company Limited (Southeast Asia's largest beverage company), Information Connectivity Solutions Limited (provider of premium broadband network infrastructure), and Egypt Yellow Pages Online (online business telephone directory).

Ref - Twitter

_______________________________________________________________________________________

(July 24, 2020)


Three new victims of Maze ransomware

Maze ransomware operators are claiming to have struck several organizations which include Martin Appliance, Florsheim Homes, and Bayley Construction. Maze operators seem to publish their data soon.

Ref - Twitter

_______________________________________________________________________________________

(July 23, 2020)


Maze ransomware attack on VAMontanaHCS affected 1,501 patients

Montana VA Health Care System recently began notifying 1,501 patients that their personal data was exposed through a ransomware attack on the Department of Veterans Affairs' former billing and collections contractor. The billing and collections company reported the incident to HHS on June 26 as affecting a total of 274,837 individuals, which included the 1,501 from Montana.

Ref - Twitter

_______________________________________________________________________________________

(July 23, 2020)

Napa Transportation Inc. hit by Maze ransomware

Maze ransomware group has breached two firms Napa Transportation Inc. (Trucking company in Cumberland County) and Alpha Guardian (provides a full lineup of premium security solutions to include portable cases and steel security cabinets).

Ref - Twitter

_______________________________________________________________________________________

(July 22, 2020)


Walkers Shortbread hit by Maze ransomware 

Maze ransomware operators claim to have targeted Walkers Shortbread, Scotland's biggest exporter of food with over 4,000 employees in 15 locations. Currently, Maze operators claim to have uploaded 5% of the total data leak.

Ref - Twitter

_______________________________________________________________________________________

(July 22, 2020)


New victims of Maze ransomware group

Maze ransomware is active again and has come up with 7 new victims: Northern Wholesale Jacitara, Eurofins Scientific, Bazinet Taylor, Walkers Shortbread, the U.S. Auto Parts Network, Inc and Readerlink Distribution Services, LLC.

Ref - Twitter

_______________________________________________________________________________________

(July 22, 2020)


Readerlink Distribution Services hit by Maze operators

Maze ransomware operators claim to have struck Readerlink Distribution Services, North America’s largest full-service book distributor. Maze group indicated that it will publish the company's data soon.

Ref - Twitter

_______________________________________________________________________________________

(July 22, 2020)


Eurofins Scientific hit by Maze ransomware group

Eurofins Scientific is breached by Maze operators. The firm has over 47k employees and a revenue of 4.5 billion euros. Another firm named “Readerlink Distribution Services'' is also breached by a Maze group.

Ref - Twitter

_______________________________________________________________________________________

(July 18, 2020)


Channel Fusion hit by Maze ransomware

Maze ransomware operators claimed Channel Fusion as a victim. Founded in 2003, Channel Fusion specializes in providing custom channel marketing technology solutions and high touch channel support concierge services.  

Ref - Twitter

_______________________________________________________________________________________

(July 18, 2020)


Karmsund Maritime Offshore breached by Maze operators

Maze ransomware group claimed a small fish from Norway as the victim. Maze says proof of a hack on Karmsund Maritime Offshore Supply is coming soon. The firm has 600k dollars as revenue and 3 employees.

Ref - Twitter

_______________________________________________________________________________________

(July 18, 2020)


Cybersoft Technologies Corp hit by Maze ransomware

Maze ransomware crew claimed Cybersoft Technologies Corp as a victim. The ransomware attack could have impacted all clients. Cybersoft Technologies Corporation is an Information Technology Company.

Ref - Twitter

_______________________________________________________________________________________

(July 17, 2020)


New victims of Maze ransomware 

Maze ransomware has now leaked 5% data of 5 new victims: Scienter Technologies (Pte) Ltd., Cybersoft Technologies, Karmsund Maritime Offshore Supply AS, and along with two other firms.

Ref - Twitter 

_______________________________________________________________________________________

(July 17, 2020)


Lee & Associates, LLC hit by Maze ransomware

Lee & Associates, LLC, that provides commercial real estate services, is now breached by Maze ransomware. The firm has an estimated annual revenue of $300m dollars and more than 1000 employees.

Ref - Twitter

_______________________________________________________________________________________

(July 17, 2020)


Comhar Inc. breached by Maze operators

Comhar Inc. (that serves a spectrum of mental and developmental disabilities) has been breached by the Maze operators and their 5% data was leaked online. The firm is founded in 1975 and headquartered in Philadelphia.

Ref - Twitter

_______________________________________________________________________________________

(July 15, 2020)


“X-Fab” shut down its worldwide production due to Maze infection

The Erfurt-based semiconductor manufacturer “X-Fab” has to shut down its production for two weeks. The reason was, among other things, an infection with the ransomware Maze. Both office IT and wafer production were affected. 

Ref - KCBD

_______________________________________________________________________________________

(July 15, 2020)


Japanese organizations started to be targeted by Maze ransomware

Japanese organizations started to be targeted by the two-stage extortion type of ransomware by a group called "MAZE". It steals a copy of data before encrypting the files. It is also called "double blackmail" because it threatens to reveal all the information unless the victim pays the ransom.

Ref - Twitter

_______________________________________________________________________________________

(July 15, 2020)


Maze ransomware group started leaking data after three days

Maze ransomware is keeping its word and releasing data of companies after a maximum of 3 days, no more delays. It released 100% of MJ Brunner data showing that they gained the domain’s admin access. Data seems to be above a hundred gigabytes and contains confidential files & credentials.

Ref - Twitter

_______________________________________________________________________________________

(July 14, 2020)


Tatematsu Mold Works Co Ltd. hit by Maze ransomware

Maze ransomware operators claim to have targeted Tatematsu Mold Works Co Ltd, which has the world's largest mold network support customers. Currently, they claim to have uploaded 5% of the total data leak.

Ref - Twitter

_______________________________________________________________________________________

(July 14, 2020)


Maze ransomware group targets new victims

Maze ransomware operators have published information about 3 new victims: Simply Mail Solutions (a leading cloud solutions provider), Tatematsu Mold Works Co., Ltd. (that manufactures special dies, tools, jigs, and fixtures), and the third as Upland Software (develops enterprise work management software for cloud).

Ref - Twitter

_______________________________________________________________________________________

(July 11, 2020)


Factor One Source FAST Pharmacy hit by Maze ransomware

MAZE ransomware now claimed to breach a pharmacy company. The targeted firm is “Factor One Source FAST Pharmacy” (https://fosrx.com). It has 40+ employees for revenue of $100 million.

Ref - Twitter

_______________________________________________________________________________________

(July 10, 2020)


Maze group announce new tactics in their press release

Maze group has stated in its latest press release that they will now contact partners and regulators after a breach if negotiation failed. They will start publishing after 3 days. No more delays or favors, maze says "we are not psychologist."!

Ref - Twitter 

_______________________________________________________________________________________

(July 10, 2020)


Burton Lumber hit by Maze ransomware

Maze ransomware crew claims “Burton Lumber” as a victim. Founded in 1911 and headquartered in Salt Lake City, Utah. Burton Lumber distributes building material and supplies. It has 350 employees and 189m revenue.

Ref - Twitter

 _______________________________________________________________________________________

(July 10, 2020)


VOXX International breached by Maze operators

Maze ransomware crew claims to have breached Voxx International. The firm “VOXX International” is a global manufacturer and supplier of automotive and consumer electronic products. It has 885 employees and 507m revenue.

Ref - Twitter

_______________________________________________________________________________________

(July 10, 2020)


Maze operators hacked Argus Management

Maze ransomware claimed Argus Management as a victim. The firm “Argus Management Company”, dba Argus Medical Management, provides physician practice management services in the Greater Long Beach area. It has 300 employees and 76m of revenue.

Ref - Twitter

_______________________________________________________________________________________

(July 10, 2020)


X-FAB GMBH hacked by Maze ransomware crew

Maze ransomware crew claims X-FAB GMBH as a victim. Founded in 1998 in Erfurt, Germany, XFAB offers analog/mixed-signal and MEMS foundry group manufacturing. It has $581m in revenue and 4k employees.

Ref - Twitter

_______________________________________________________________________________________

(July 10, 2020)


BDL Capital Management hacked by Maze operators 

Maze ransomware claimed the Paris-based financial service firm BDL Capital as a victim. BDL Capital Management is an AMF-approved company managing two funds invested in listed European equities: BDL Rempart Europe BDL Convictions. It has 21 employees and 4m revenue.

Ref - Twitter

_______________________________________________________________________________________

(July 10, 2020)


TSL Companies breached by Maze group


Maze ransomware crew claims Nebraska-based logistics company TSL as a victim. TSL manages and organizes end-to-end transportation of goods, and is dedicated contact for all operations around the world. It has 18 employees and 3m revenue.

Ref - Twitter

_______________________________________________________________________________________

(July 10, 2020)


MI Metals Inc. hacked by Maze operators 

Maze ransomware crew claims MI Metals Inc. as a victim. Founded in 1983 and headquartered in Oldsmar, Florida, MI Metals, Inc. is an aluminum extrusion manufacturing company. It has 120 employees and 100m revenue.

Ref - Twitter

_______________________________________________________________________________________

(July 10, 2020)


Atlanta Computer Group breached by Maze operators

Maze ransomware crew claimed Atlanta Computer Group as a victim. Atlanta Computer Group, Inc. is a Computer & Office Equipment Wholesaler with four companies in the corporate family. It has 35 employees and $9m in revenue.

Ref - Twitter

_______________________________________________________________________________________

(July 10, 2020)


Maze operators breached multiple entities

The maze ransomware group claims to have breached the following entities: BDL Capital Management, Phillips Law Firm, Inc., TSL Companies, and Atlanta Computer Group, Inc. All firms had their 5% data published.

Ref - Twitter

_______________________________________________________________________________________

(July 9, 2020)


A large amount of Xerox’s data leaked by Maze operators 

Earlier, Xerox firm was hacked by the Maze ransomware group. Now, the attackers encrypted their data after receiving a copy of the data. Around, 100 GB of data has been leaked from the company, and the attackers are demanding ransom not to release it.

Ref - Twitter

_______________________________________________________________________________________

(July 7, 2020)


Maze ransomware sample contain personal threats and taunts

Strings with personal threats and taunts targeting several researchers in the industry were found embedded into samples of Maze ransomware, analyzed by Sophos Labs in May. Initial samples of Maze were tied to fake websites loaded with exploit kits. 

Ref - Twitter 

_______________________________________________________________________________________

(July 6, 2020)


De Moya Group, Inc. hit by Maze group

The De Moya Group, Inc, a civil construction company, has been hit by Maze ransomware operators. They leaked phone numbers, fax, and physical location information on their website (where they post and leak data). As proof, they also posted a two zip folder named as work.zip and precom.zip.

Ref - Twitter

_______________________________________________________________________________________

(July 6, 2020)


Unilac SA’s data leaked by Maze operators

Unilac SA, located in Argentina and Industrial Hygiene Services, is breached by Maze ransomware operators. In their attack, several other companies were also affected and their data was leaked on the Maze website.

Ref - Twitter

_______________________________________________________________________________________

(July 4, 2020)


Tri-Boro Construction hit by Maze ransomware

Maze ransomware operators have breached Pennsylvania-based “Tri-Boro Construction” and leaked 5% of their data as a proof of hack. The website where data was leaked, is showing phone number, and address related information. The website was also showing a folder named “Info.zip.”

Ref - Twitter

_______________________________________________________________________________________

(July 4, 2020)


Ptarmigan Media breached by Maze operators

Maze ransomware operators claim Ptarmigan Media as a victim. The “Ptarmigan Media”, the PR company for financial services, has around 109 employees with 144m revenue. The leaked information included phone numbers, physical addresses, email addresses, and client information along with info.zip file.

Ref - Twitter

_______________________________________________________________________________________

(July 3, 2020)


Bennett Automotive Group hit by Maze ransomware

Maze ransomware operators claim to target Bennett Automotive Group, one of the renowned car dealers based in the USA. The leaked information included phone numbers, addresses, and other information.

Ref - Twitter

_______________________________________________________________________________________

(July 3, 2020)


Engineering Consultants Group hit by Maze ransomware

The Engineering Consultants Group, one of the leading engineering consultancy firms, was allegedly targeted by Maze ransomware operators. The leaked information includes phone number, address, fax, and email.

Ref - Twitter

_______________________________________________________________________________________

(July 2, 2020)


Maze ransomware operator leaks data stolen from National Highways Authority of India

Maze ransomware operators have leaked the data of the National Highways Authority of India (NHAI), an autonomous agency of the Government of India. The Maze’s website where the data was posted and leaked was showing two zip folders named as AKGoyalShared.zip and Chairman_Chamdra.zip.

Ref - Twitter

_______________________________________________________________________________________

(July 2, 2020)


Maze operators hit new victims

The maze operators started the publication of compromised data in regards to the following entities: American Osteopathic Association, Medical Management, Inc., and National Highways Authority of India. Only 5% of data of all the hacked entities was leaked according to Maze ransomware operators.

Ref - Twitter

_______________________________________________________________________________________

(July 2, 2020)


Maze ransomware hit the American Osteopathic Association

Maze ransomware operators claim to target the American Osteopathic Association, an organization representing more than 151,000 osteopathic physicians and medical students across the USA.

Ref - Twitter

_______________________________________________________________________________________

(July 1, 2020)


Maze group published screenshots to show that “Xerox Corporation” is hacked

Maze ransomware operators have breached the systems of the Xerox Corporation and stolen files before encrypting them. The company did not disclose the cyberattack, but the Maze ransomware operators have published some screenshots that show that a Xerox domain has been encrypted. One screenshot shows that hosts on “eu.xerox.net,” managed by Xerox Corporation, was hacked.


_______________________________________________________________________________________

(June 30, 2020)


National Highways Authority attacked by Maze operators, the company claims no data loss

The National Highways Authority of India (NHAI) said a cyberattack took place on its email server but prompt action resulted in no data loss. As a precaution, the Authority had shut down the server. According to NHAI Chief “, No data loss took place.” NHAI data lake and other systems remained unaffected from this attack. 


_______________________________________________________________________________________

(June 30, 2020)

Innotech-Execaire hit by Maze ransomware 

Maze ransomware operators allegedly struck Innotech-Execaire Aviation Group, a leading provider of aviation and technical support solutions to business aircraft, and claimed to have uploaded 5% of the total data leaked. The maze website was showing three zip folders; Lean.zip, NDT_Private.zip, and Planning.zip. 

Ref - Twitter

_______________________________________________________________________________________

(June 30, 2020)

Maze operators announce the invasion of CPFL networks

Ransomware Maze announces intrusion into the networks of CPFL and other companies. The Maze Ransomware group has declared successful exploitation of many organizations, including CPFL, and has released massive data on a public website. They posted information on their website indicating that the network of the power distribution company CPFL, based in Campinas, SP, has been compromised.


_______________________________________________________________________________________

(June 30, 2020)

Manson Construction Co. hit by Maze ransomware

Maze ransomware operators have breached Manson Construction Co., a provider of marine construction services. They also breached the Innotech-Execaire Aviation Group, a leading provider of aviation and technical support solutions to business aircraft OEMs, owners, and commercial airlines.

Ref - Twitter

_______________________________________________________________________________________

(June 29, 2020)


VirtualGuard hit byMaze ransomware

Maze ransomware crew claims Nevada-based VirtualGuard as a victim. The firm “VirtualGuard” provides physical security systems and the staff to monitor them. Proofs include accounting information. The website (where leaked data is posted) showing a zip folder named as “Accounting.zip.”

Ref - Twitter

_______________________________________________________________________________________

(June 29, 2020)


OWL Underwriting data leaked by Maze operators

Maze ransomware crew claims “OWL Underwriting” as a victim. OWL has not paid the ransom and Maze is threatening to leak data from the hack. OWL is an MGA and wholesale insurance broker with an international reach in the Marine market. The maze website was showing two zip folders named as Accounting.zip and Common.zip.

Ref - Twitter

_______________________________________________________________________________________

(June 29, 2020)


Ostermeier FZE become a victim of Maze ransomware

Maze ransomware crew claims Ostermeier FZE, a Dubai-base industrial engineering firm, as a victim. Ostermeier FZE has not paid the ransom. So Maze is threatening to leak. Proofs of hack include account info and other docs. The maze website was showing a two zip folder as Docs.zip and Accounts.zip.

Ref - Twitter

 _______________________________________________________________________________________

(June 26, 2020)


Caldwell Toyota hit by Maze ransomware

Maze ransomware operators claimed to breach the Caldwell Toyota dealership (@CaldwellToyota). The Maze operators also provided some accounting information as proof for the leaks. The automobile film “Caldwell Toyota” has 251 employees and 48m revenue.

Ref - Twitter

_______________________________________________________________________________________

(June 26, 2020)


Maze operator leaks data after the “WorldNet” refused to pay

The Maze ransomware operators claimed to breach the “WorldNet Telecommunications” (Puerto Rican ISP and Telecom) sometimes ago. At that time they exfiltrated data and encrypted their machines. After that, no ransom was paid so now Maze has leaked the data. They posted a zip file named as “ssn.zip” on their website.

Ref - Twitter

_______________________________________________________________________________________

(June 25, 2020)

Maze ransomware hit Club Fitness franchises in Missouri 

Maze team has claimed a few Club Fitness franchises in Missouri as victims. Victims were hacked and encrypted, but no ransom was paid. Now they have leaked some data from the business. The website (where Maze operators publish stolen info) was showing phone numbers and addresses of gym members.

Ref - Twitter

_______________________________________________________________________________________

(June 24, 2020)

Maze gang threatens to publish stolen data after the victim refuses to pay

The Maze ransomware gang has threatened to publish information stolen from “VT San Antonio Aerospace” because its victim refused to pay a demanded ransom. In a "press release" published on its leaks website, Maze raged against victims who refused to play it’s game and cough up vast sums of money to decrypt their illicitly encrypted data.


_______________________________________________________________________________________

(June 24, 2020)

Maze operators hit three organizations

Maze ransomware operators claim to breach three well-established organizations: WorldNet Telecommunications (located in Puerto Rico), Columbus Metro Federal Credit Union (Federal credit union in Whitehall, Ohio), and Webuild SpA (Italian industrial group). Although, the Twitter handle @AuCyble that posted the screenshots on Twitter, says that it could not confirm the authenticity of these leaks.

Ref - Twitter

_______________________________________________________________________________________

(June 24, 2020)

Maze ransomware published a press release about the reaction on attack

In a Twitter post, the creators of the Maze ransomware published a press release with advice on how victims should react to an attack. The press release of the Maze team was taken up in a Twitter post published by the Shadow Intelligence group, which, among other things, also reports the news of a violation of the electronics giant LG.



_______________________________________________________________________________________

(June 24, 2020)

Xerox Corporation hit by Maze ransomware

Maze ransomware operators now hit Xerox Corporation, an American corporation that sells print and digital document products and services in more than 160 countries. Along with this attack, two other organizations were also hit identified as “WorldNet Telecommunications”
and “Columbus Metro Federal Credit Union.”

Ref - Twitter

_______________________________________________________________________________________

(June 23, 2020)


Maze ransomware published a press release

Maze Ransomware published a press release in which they explain how victims should pay instead of hiring security companies. As per Maze, spending money by the company to decrypt files themselves would not help them in any case. In the Press Release, Maze detail and talks of their 4 previous targets.

Ref - Twitter

_______________________________________________________________________________________

(June 23, 2020)


Maze operators claimed to breach LG

Maze ransomware official press release claimed that they will soon reveal how the LG company (South Korean multinational electronics company headquartered in Yeouido-dong, Seoul) has lost the source code of its products for a large telecommunications company, which works worldwide.

Ref - Twitter

_______________________________________________________________________________________

(June 23, 2020)


Maze operators showing examples of failed negotiation

Maze ransomware group is specifically detailing about 4 companies (ST engineering, MaxLinear, Conduent, M.J.Brunner) for their failed negotiation and how they lost data. Some of the firms had hired "negotiators" and failed. They also stated that “Conduent is due to a leak but right now there is a lack of time.”

Ref - Twitter

_______________________________________________________________________________________

(June 20, 2020)


Maze operators stole credit card details of Cognizant employees

A ransomware attack targeted Cognizant’s system in April 2020. Now it is revealed that the most critical data that has been stolen by the threat actors are the corporate credit card details of Cognizant. As per reports, there are a few associates whose other kinds of personal information have been exposed and they will be notified directly by June 24, 2020.


_______________________________________________________________________________________

(June 20, 2020)


Mark's Plumbing & Parts hit by Maze ransomware

Mark's Plumbing & Parts is America's is breached by the Maze operators. The affected firm is known to be the largest plumbing parts online retailer with 88m in revenue and 109 employees. The Maze has taken credit for the hack and has leaked 800+MB of proofs, including accounting and business docs.

Ref - Twitter

_______________________________________________________________________________________

(June 20, 2020)


Thailand's provincial electric authority attacked by Maze ransomware

Maze ransomware is claiming to have targeted Thailand's provincial electric authority. They provided proof that includes 8.5GB of compressed documents from the hack and there may be more to come. The website was showing three zip folders named as Manager1.zip, Manager2.zip, and Main6.zip. 

Ref - Twitter

_______________________________________________________________________________________

(June 20, 2020)


Namecheap is hosting the Maze group domain

A Twitter user with handle Nordchan (@nordchanman) claimed that popular domain name registrar “Namecheap” is aiding cyber-terrorist gang "MAZE" ransomware in leaking confidential files to the Internet by hosting their domain name mazenews[dot]top.

Ref - Twitter

_______________________________________________________________________________________

(June 18, 2020)


Maze ransomware gang demanded ransom from the wrong company

The Maze ransomware gang has screwed up by targeting a New York design and construction firm named “CSA group”, instead of the Canadian Standards Association (CSA) it was intending to hit. The firms have almost the same name and domains: csagroup[.]com belongs to the New York Agency, while the Canadian standards agency has the domain name csagroup[.]org, which lead to a mixup of names.


_______________________________________________________________________________________

(June 18, 2020)


Maze operators come up with six new victims

Maze operators have come up with six new victims. Some of the targeted organizations include Wix Way (an automotive company), and Bauhaus Furniture Group (a furniture industry), and four other firms.

Ref - Twitter

_______________________________________________________________________________________

(June 18, 2020)


J W Smith Customs Broker hit by Maze ransomware

J W Smith Customs Broker has been hit with ransomware by Maze ransomware crew. No ransom was paid so Maze is preparing to leak data from the breach. Many logistics companies have been hit by ransomware recently. The maze’s website contained a zip folder named as “AndrewS.zip.”

Ref - Twitter

_______________________________________________________________________________________

(June 18, 2020)


CSA group become a victim of Maze ransomware

Maze ransomware claims standards company CSA group as a victim on their leak site. CSA Group was founded in 1919 to provide product testing and certification. CSA has 1.9b in revenue and 2000 employees. The Maze’s website shows three zip files as part1.zip, part3.zip, and sp_db.zip.

Ref - Twitter

_______________________________________________________________________________________

(June 18, 2020)


New victims of Maze ransomware 

Maze operators just targeted new victims. Targeted victims include; Cincinnati Red Dog Pet Resort & Spa (a dog daycare center in Cincinnati), CSA Group (a standards organization), and Midwest Fresh (a food production firm).

Ref - Twitter

_______________________________________________________________________________________


(June 18, 2020)


Readerlink Distribution Services hit by Maze ransomware

Readerlink Distribution Services was hit with Maze ransomware. Now Maze is threatening to leak data if demands of ransom are not fulfilled. The book distributor has more than 2000 employees and over 1B in revenue. The maze’s website was showing four zip folder as Clients.zip, DirectDeposits2018-2020.zip, Clients2.zip, and eBanking.zip.

Ref - Twitter

_______________________________________________________________________________________

(June 16, 2020)


Comwave hit by Maze ransomware

The operators behind the Maze have allegedly struck Comwave, Canada's most affordable telecommunications company. Among the leaked data, there were three zip files named BDocs.zip, BDocs.z01, and BDocs.z02.

Ref - Twitter

_______________________________________________________________________________________

(June 16, 2020)


MaxLinear Inc. breached by Maze operators

Maze ransomware operators have allegedly struck MaxLinear Inc, a well-established American hardware company. The ransomware operators claim to have more than 1TB of the company's sensitive data. Among the leaked data, there were three zip files named as Finance1.zip, Finance1.z01, and Accounting1.zip.

Ref - Twitter 

_______________________________________________________________________________________

(June 16, 2020)


Ansen Corporation’s data leaked online

Maze ransomware operators have allegedly struck Ansen Corporation’s, an electronics manufacturing services provider. The firm is located in the U.S and operating since 1982. Along with this breach, two other firms (Comwave and MaxLinear Inc.) were also breached by Maze operators. 

Ref - Twitter 

_______________________________________________________________________________________

(June 15, 2020)


The city of Knoxville may be hit by Maze ransomware

The city of Knoxville, Tenn. is reeling from a ransomware attack that knocked the city’s network offline and prevented police officers from responding to non-life-threatening traffic crashes. Based on ransomware groups’ current activity levels and past victim profiles, the most likely suspects for this attack are probably Maze, DoppelPaymer, and NetWalker; all of which exfiltrate and publish data.


_______________________________________________________________________________________

(June 12, 2020)


Ragnar group published data hacked by Maze

Just after creating a ransomware cartel with Maze operators, Ragnar group publishes on his portal, the data on the company ST Engineering, which was hacked by the Maze Team. Earlier, the Maze group claimed to have stolen 1.5 TB worth of unencrypted files to pressurize the firm into paying their ransom.

Ref - Twitter

_______________________________________________________________________________________

(June 12, 2020)


Threadstone Advisors hit by Maze ransomware

Ransomware gang, Maze, strikes again. This time, the victim is a US-based independent advisory firm specializing in the consumer and retail sectors. They have a number of big clients including businesswoman and former Spice Girl, Victoria Beckham. Maze’s official Dark Web blog lists Threadstone Advisors, LLC as one of their victims following an attack within the last 24 hours.


_______________________________________________________________________________________

(June 10, 2020)


Maze ransomware targets new victims 

Maze ransomware published two new victims for Latin America, and again Brazil. The affected electricity sector and government entities exposed sensitive information. The first is Domingos Martins and the second is CPFL Energia SA.

Ref - Twitter

_______________________________________________________________________________________

(June 10, 2020)


RagnarLocker joins Maze ransomware syndicate

The ransomware syndicate created by the operators of the Maze ransomware has added another group to its ranks. The operators of the LockBit ransomware were the first group to join Maze's ransomware syndicate but now another competing ransomware group named RagnarLocker has joined as well.


_______________________________________________________________________________________

(June 10, 2020)


Maze operators posted several new victims

Maze operators again come up with an attack and this time they targeted a big list of firms. They leaked data belongs to Domingos Martins, Daily Thermetrics, John Christner Trucking, FERSPED Inc., Mead O'Brien, Inc., United Enertech, Collabera, Muñoz Engineering P.C., Ahmed Almazrouei Group and many more.

Ref - Twitter 

_______________________________________________________________________________________

(June 8, 2020)

Conduent firm hit by Maze ransomware

A multi-billion-dollar IT services firm has become the latest victim of the infamous Maze ransomware group after it appeared to target a widely publicized Citrix vulnerability. The company said that the incident resulted in only “partial interruption” to its services for customers, and an ongoing investigation has been undertaken, by looping in “internal and external security forensics and anti-virus teams.”


_______________________________________________________________________________________

(June 8, 2020)

Hackers stole confidential information from Westech International. 

Cybercriminals have stolen confidential information from Westech International (a defense contractor). Westech International has confirmed that it been breached and that its computers have been encrypted. A number of news outlets are saying Westech International’s computers were encrypted with the MAZE ransomware.


_______________________________________________________________________________________

(June 6, 2020)

Maze gang sharing its public shaming website with other groups

The Maze gang has apparently opened its public shaming website to other groups, who are now able to publish their copied data there. There is also similar news from the blackmail crew around REvil. Maze published data on the gang’s own leak website. The group confirmed the cooperation and also announced that it wanted to share its own platform in the ransomware business with another group.

Ref - OwlySec

_______________________________________________________________________________________

(June 5, 2020)

VT San Antonio Aerospace hit by Maze ransomware

The Maze Ransomware gang breached and successfully encrypted the systems of VT San Antonio Aerospace, as well as stole and leaked unencrypted files from the company's compromised devices in April 2020. During the attack, Maze claims to have stolen 1.5 TB worth of unencrypted files to be used as leverage to pressure the ST Engineering subsidiary into paying their ransom.


_______________________________________________________________________________________

(June 4, 2020)

Maze operators breached two firms

MazeRansomware breached two debt collectors, the first is TekCollect (36m) and the second one is AmerAssist (47m). No ransom was paid so they are preparing to leak data exfiltrated from the breach. It could be expected that the leak may contain personally identifiable information (PII).

Ref - Twitter

_______________________________________________________________________________________

(June 4, 2020)

Maze ransomware operators target Conduent Inc. & UNAMIC

As usual Maze ransomware operators add another data breach to their name. In this instance, they breached Conduent Inc & Unamic, which comes in the list of leading information technology and services providers. This data leak includes the company’s insurance documents, Multiple Vehicles Lease Details, Audit Discussion results, along with other stolen data. 

Ref - CybleINC

_______________________________________________________________________________________

(June 2, 2020)

LockBit may start leaking data through Maze's leak site

A recent Maze ransomware leak (where they leaked database belonging to “Smith Group”) was provided by LockBit. It seems that Maze and LockBit have enough of a relationship that LockBit may start leaking data through Maze's leak site.

Ref - Twitter
 
_______________________________________________________________________________________

(June 2, 2020)

Smith group’s data leaked by the maze ransomware operators

The Maze ransomware operators have been on a roll in leaking databases. Recently they, leaked confidential data of around five organizations. Now they have come up with leaking data of another well-established organization. In this instance, they breached Smith Group, which is one of the leading architecture companies around the globe.

Ref - Cybleinc

_______________________________________________________________________________________

(June 2, 2020)

Maze operators dropped seven leaks 

Recently maze ransomware operators dropped seven leaks. That's a record high. Here are the victim’s names: Bossini(<1m), Faxon Machining(30m), GCL System Integration Technology(1.2B), Critical Control Energy Services(24m), Seats Inc(338m), Grupo Cocenzo, and Smith Group(256m).

Ref - Twitter

_______________________________________________________________________________________

(June 1, 2020)

Kerr Controls Ltd hit by Maze ransomware

As usual Maze ransomware operators add another data breach (around 3GB data) to their name. In this instance, they breached Kerr Controls Ltd, a well-established wholesale distributor of a leading wholesale distributor of heating, ventilation, air conditioning, and refrigeration (HVACR) materials for residential and commercial markets. 

Ref - Cybleinc

_______________________________________________________________________________________

(June 1, 2020)

Maze ransomware developers partnering with other threat actor groups

As MAZE ransomware operates under an affiliate model and is distributed by multiple threat actors, it is able to expand its operations widely across different geographical regions and industry sectors. An affiliate model is a business model where ransomware developers would partner with other threat actor groups who are responsible for distributing the malware and share the profit (via ransom).

Ref - CSA

_______________________________________________________________________________________

(May 29, 2020)

MAZE ransomware working and defense mechanisms

Bitdefender malware researchers have documented how MAZE ransomware works, what defense mechanisms it employs to stay hidden, and how it unleashes its destructive behavior on the target system. The white paper outlines how to defeat the evasion techniques built into the MAZE ransomware.


_______________________________________________________________________________________

(May 29, 2020)

MAZE ransomware introduced the new way to extort victims

An extra way has been introduced by the developers of the Maze ransomware to create leverage against victims of ransomware. To have some leverage over these organizations, the ransomware attackers steal data from the infiltrated system while they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay. Depending on the kind of data, this can be a rather compelling reason to give in.

Source - MalwareBytes

_______________________________________________________________________________________

(May 29, 2020)

Mercury Insurance Group hit by Maze ransomware

Maze ransomware operators have leaked the data from Mercury Insurance Group. More than 300GB of data of several renowned organizations, including AIC Underwriters, Madison Insurance, Accident Insurance, Appalachian Underwriters, American Builders Insurance, Applied Underwriters, Cornerstone Underwriting, and US Administrator Claims was dumped online.

Ref - Twitter

_______________________________________________________________________________________

(May 28, 2020)


RDP is the most common and prominent attack vector used by ransomware actors 

Group-IB's whitepaper details that even big-league players like Ryuk, LockerGoga, REvil, MegaCortex, Maze, or Netwalker are using common intrusion methods such as RDP simply because the access to servers with an open port is easy to get from marketplaces. The FBI also stated that RDP is the most common method ransomware actors use for access to the victim network.


_______________________________________________________________________________________

(May 22, 2020)

Banco BCR bank’s data (Part 3) leaked by Maze operators 

Maze Ransomware Group has published a new press release addressed to the “Banco BCR” bank where it published credit card details. This leaked data was quoted as part three of the leak that belonged to the “Banco BCR” bank.” The leaked data contained 2GB worth of credit card information.

Ref - Twitter

_______________________________________________________________________________________

(May 21, 2020)

Maze operators targeted several law firms in the last six months

In nearly six months, at least seven law firms have been infiltrated by ransomware. Of the attacks, hacker groups Maze and REvil have taken responsibility for them all. The “Maze” represents an evolution from the old attacks law firms faced. They have adjusted their strategies, by infiltrating original files and backups through remote access “backdoors” and hijacking administrative controls.

Ref - LAW

_______________________________________________________________________________________

(May 20, 2020)


Universal Windows & Door data leaked by Maze operators

Maze operators now leaked data belongs to Universal windows & Door LLC., a Window supplier in Marlborough. Part 1 of leaked data was a pair of zips of random files to show that Maze operators did have some data. Probably lots of client info, employee info, and order info in the full thing.

Ref - Twitter

_______________________________________________________________________________________

(May 20, 2020)


Optimara’s data leaked online by Maze operators

Optimara, a leader in the African Violet business for over 60 years, is targeted by Maze operators. This fresh data leak from the breach is now online. The leaked data includes an access database and domain admin information. The leaked data was compressed in zip folders named as “DomainAdmin.zip” and “Greenmdb.zip.”

Ref - Twitter
 
_______________________________________________________________________________________

(May 19, 2020)


CERT of the National Cryptologic Center issued a “Maze” Harmful Code Report

The CERT of the National Cryptologic Center (CCN-CERT) has published the CCN-CERT ID-14/20 “Maze” Harmful Code Report. This collects the analysis of the sample of harmful code belonging to the “Maze” family of ransomware, whose objective is to encrypt the files of the infected systems to subsequently request the payment of a ransom in exchange for the decryption tool.

Ref - CCN-CERT

_______________________________________________________________________________________

(May 18, 2020)


Ransomware earlier seen with Maze now targeting healthcare organizations

The FBI has issued a security alert earlier this month (April 2020) about a new ransomware strain named ProLock that has been deployed in intrusions at healthcare organizations. It's been seen before with Ryuk and Maze ransomware strains being installed on computers previously infected with TrickBot, and with DopplePaymer strains being dropped on computers infected with Dridex malware.

Ref - ZDNet

_______________________________________________________________________________________

(May 16, 2020)


Andrew Cross & Co hit by Maze ransomware 

Andrew Cross & Co falls into the trap of Maze ransomware operators. In this instance, they breached the database of the company and then leaked their data online. Andrew Cross & Co was been established in the year 1969. It is an independent firm of chartered accountants who today continue to build a reputation for providing excellent advice and first-class service to their business and personal clients alike.

Ref - Cybleinc

_______________________________________________________________________________________

(May 16, 2020)


Maze operators leaked data of Italian architect, American property manager, and an English accountant

Recently, operators of maze ransomware leaked data of Italian architect, an American property manager, and an English accountant. Their data was just leaked on the dark web by the Maze Ransomware crew. The leaked information was mostly PII (Personally Identifiable Information).

Ref - Twitter

_______________________________________________________________________________________

(May 15, 2020)


Maze ransomware targeted Hydro Resources Holding

Once again Maze ransomware operators have been seen in action, and this time they trap a well-known groundwater exploration and production organization. In this instance, they targeted Hydro Resources Holding. Founded in the year 1999, Hydro Resources is uniquely qualified and positioned to provide a comprehensive range of groundwater construction services.

Ref - Cyblenic

_______________________________________________________________________________________

(May 14, 2020)


A security firm revealed a complete timeline of Maze ransomware infection

Based on Cisco Talos Incident Response engagements, a Maze ransomware incident timeline might look like this: Day 0 - 6: initial compromise, Day 7 - 13: additional active reconnaissance, Day 14 - 21: utilizing stolen credentials, Psexec or WMIC is executed on the victim’s domain controllers. It then spreads, taking down the network, creating havoc for the company to deal with.


_______________________________________________________________________________________

(May 14, 2020)

Banxico and Banco De Costa Rica suffered Maze attack in the same way

Banco de México (Banxico) reported the detection of a possible cyber attack. Although the financial resources of the financial institution were not compromised, there was the theft of information related to the Internet banking systems and interbank transfers. This attack happened in the same way Banco De Costa Rica was attacked by maze ransomware, suggesting that same hackers are behind this attack.

Ref - CiberTip

_______________________________________________________________________________________

(May 14, 2020)

Maze ransomware put pressure on the victims and persuade them to pay the ransom

SophosLabs, a security firm, has made available a new report that deepens the techniques implemented by the Maze ransomware to put pressure on the victims and convince them to pay the ransom. The report also revealed that the total cost for the recovery of encrypted data during a ransomware attack doubles when companies decide to pay the ransom to cybercriminals.


_______________________________________________________________________________________

(May 13, 2020)

Maze ransomware’s double extortion tactic adopted by other ransomware families

In Nov. 2019, the Maze ransomware began a new tactic of not only demanding a ransom for a decryptor but also demanding a second ransom for not to publish files stolen in an attack. Since then, almost all network-targeting ransomware families such as Maze, Sodinokibi, DopplePaymer, Clop, Sekhmet, Nephilim, Mespinoza, and Netwalker have adopted this practice.


_______________________________________________________________________________________

(May 12, 2020)

Three groups are behind Maze ransomware

Based on their observations, the Mandiant teams of FireEye distinguished three “groups” exploiting Maze, or rather three different profiles of attackers according to their techniques and tactics. One of them refers to the FIN6 group, also called Skeleton Spider. The other two, not disclosed in the report, rely on network services exposed on the Internet, and the use of accounts with compromised identifiers.

Ref - LemaGit

_______________________________________________________________________________________

(May 12, 2020)

Maze ransomware is active for more than a year

It’s been a year since the Maze ransomware gang began its rise to notoriety. Aside from the gang’s adjustments in initial compromise approaches, the Maze group has risen in prominence largely because of its extortion tactics: following through on threats of public exposure of victims’ data in public “dumps” of victims’ stolen data, and offering victim data on cybercrime forums if no payment is made.

Ref - Sophos

_______________________________________________________________________________________

(May 12, 2020)

A Belgian accounting firm attacked by Maze ransomware

The people behind the Maze ransomware, which infects Windows systems, have hit the Belgian firm “HLB.” Numerous documents from the company have been leaked online. These include business contracts, accounts statements, confidential memos, and other general documents. The group's global site appears to be down, indicating that it may have been the avenue for the Maze attack.

Ref - ITWire

_______________________________________________________________________________________

(May 11, 2020)


Pitney Bowes takes hit as the next target of Maze ransomware

The global technology provider Pitney Bowes has been targeted by the Maze ransomware. The Maze group has released screenshots belonging to the company's systems. These screenshots include lists of staff folders, clients, accounts, management policies, training, etc.

Source - iTWire

_______________________________________________________________________________________

(May 10, 2020)


Maze ransomware attacks two US-based enterprises

Two American organizations have been recently targeted by the Maze ransomware operators. One of them is a wire manufacturing company named Southeastern Wire, while the other one is Koller Craft LLC, a manufacturer of manufacturer injection molded plastic components.

Source - IB Times

_______________________________________________________________________________________

(May 10, 2020)


Maze ransomware continues its threatening campaigns 

Maze ransomware is usually delivered via spam emails having malicious Exel and Word attachments. But in recent campaigns, it was observed being delivered via exploit kits named Spelevo. It has also been levering vulnerabilities in Flash Player (CVE-2018-15982 and CVE-2018-4878), Internet Explorer (CVE-2018-8174) and Pulse VPN (CVE-2018-1150)


_______________________________________________________________________________________

(May 9, 2020)


Maze ransomware’s attack on Cognizant will have an impact for several months

After being targeted by the Maze group, Cognizant is expected to face its aftermaths for several months. Besides the direct losses to the business, the company is also expected to incur some expenses in legal consultancy, investigation, service restoration, and remediation of the breach. Theft of sensitive information targets for mergers and acquisitions, profit and loss reports, as well as medical records, is also expected to have a negative impact on the overall ecosystem of cognizant. 


_______________________________________________________________________________________

(May 8, 2020)

An uptick in Maze Ransomware Samples Observed Across Multiple Industries

A threat assessment post was prepared by Palo Alto Networks for the recent Maze ransomware activities. According to this, the ransomware is usually distributed via emails containing weaponized Word or Excel attachments. But recently, it has also been distributed via exploit kits such as the Spelevo Exploit Kit, using a variety of vulnerabilities. 


_______________________________________________________________________________________

(May 8, 2020)


What Cyber Security Companies like FireEye Are Learning From Maze Ransomware

According to the forensic data collected from recent incidents, Maze group is not a single group but a series of distinct teams, each having different specialties. One team is involved in developing the malware, another distributes it and, when the victim pays a ransom, the developers get a commission.

Source - CyberScoop

_______________________________________________________________________________________

(May 8, 2020)


Maze Ransomware Obfuscation Techniques Detailed Out

The obfuscation techniques used by the Maze DLL have been revealed. Usually, the Maze ransomware is in DLL form and loaded into memory through a loader component. It uses several obfuscation techniques, including hidden API calls with opaque predicates, hidden return with push + JMPs EAX (WinApi), hidden ‘memcpy’ calls, fake calls and opaque predicates with intermediate jumps and junk code.

Source - Blueliv

_______________________________________________________________________________________

(May 8, 2020)

Maze Ransomware costs Cognizant $50-$70 million in Q1

After being hit with the Maze ransomware, Cognizant expects a negative impact on its business. After knowing about the ransomware attack, some of the company's clients opted to suspend the access to Cognizant's network. The company’s revenues are expected to the reduced by $50-$70 million, and the remediation costs could spread beyond Q2.

Source - Business Today 

_______________________________________________________________________________________

(May 7, 2020)

Maze Ransomware - the biggest data threat to organizations

Maze ransomware has been targeting organizations since its inception in May 2019. Any the victim company’s choice to pay the ransom depends upon factors like the cost of loss of trade secrets, damage to the brand image, possible lawsuits, and imposition of fines, etc. In the time of this pandemic, ransomware like Maze poses a massive disruption to some of the vital services like healthcare. 
Source - ForumIAS

_______________________________________________________________________________________

(May 7, 2020)

MAZE Claims Ransomware targets US Egg Supplier Sparboe

The Maze group has published data on its shaming website, which it claims to belong to the Minnesota egg supplier Sparboe. According to Maze, Sparboe’s system was attacked on May 1, 2020, and the threat group had shared a zip file of data-carrying information on current and former employees as proof.


_______________________________________________________________________________________

(May 7, 2020)

TTPs Associated With MAZE Ransomware Incidents Disclosed

Since November 2019 more than 100 alleged MAZE victims reported by various media outlets and on the MAZE website. Victims are primarily based in North America, and belong to almost every industry sector. Initially, MAZE ransomware was distributed directly via exploit kits and spam campaigns, and later adopted deploying the ransomware post-compromise methodology.

Source - Fireeye

_______________________________________________________________________________________

(May 6, 2020)


Maze Ransomware Group Hacks Two Plastic Surgeons

The Maze group recently took credit for hacking a plastic surgeon named Kristin Tarbet, as well as the Ashville Plastic Surgery Institute. The hackers have already leaked highly sensitive data, patient’s social security numbers, and other sensitive information, belonging to Kristin Tarbet.

Source - Coin Telegraph 

_______________________________________________________________________________________

(May 6, 2020)


Maze Ransomware Operators enhance their strategies

Maze ransomware operators recently revealed the group's inner workings about how they pressurize their victims into paying the ransom. In Jan 2020, the Maze group was the first one to use the “shaming” website to leak to stolen data in case their ransom demand is not met. Maze group now looks for data to cause reputational and regulatory harm to their victims.

Source - DarkReading

_______________________________________________________________________________________

(May 6, 2020)


Dakota Carrier Network data leaked by Maze Group

A few days ago, Maze ransomware gang had hacked and encrypted the information from Dakota Carrier Network (DCN)'s customer network. When DCN refused to pay the ransom amount, hackers published stolen information from DCN online.

Source - KFYR-TV

_______________________________________________________________________________________

(May 6, 2020)


Maze group threaten to release 11m card numbers from Banco CBR

The Maze ransomware group claims that it has obtained around 11m card numbers from the Banco BCR bank, and has again threatened to leak the sensitive details. The group has already publicly disclosed the complete information about the bank’s internal networks as a proof of hack. Next, it threatens to publish the details about the bank’s internal processing operations.

Source - ITWire

_______________________________________________________________________________________

(May 5, 2020)


Maze Ransomware attacks the labs and hospitals fighting Coronavirus

During the early stages of Covid-19, several hacking groups had pledged not to target hospitals and medical organizations. But the Hammersmith Medicines Research, that was researching the vaccines, was being targeted by the Maze ransomware. Maze had also targeted the Affordacare Urgent Care Clinic at the beginning of April 2020.

Source - Tripwire

_______________________________________________________________________________________

(May 5, 2020)


Maze Ransomware Yara rules published

A Twitter user with the handle ‘@kgbuquerin’ has posted a Yara rule to detect maze ransomware. The Yara rule includes several hashes and strings associated with Maze ransomware.

Source - Twitter
_______________________________________________________________________________________

(May 5, 2020)

Toll Group & AFFCO struck cyber threat 

The Australian transportation and logistics company Toll Group and New Zealand meat company Affco has been hit with a ransomware attack. Due to the attack, Toll Group was having trouble with its email system, while Affco has had problems with its payroll and ability to receive orders. In March 2020, Toll Group was targeted by the Maze ransomware, and it is thought to be the threat this time again. 

Source - Newsroom

_______________________________________________________________________________________

(May 5, 2020)

Maze Group leaks more information after Banco BCR ignores them

According to the images posted by Twitter handle ‘@Bank_Security’, the Maze group has posted another press release, stating that Banco BCR ha still not taken any action against the data security even after a repeated warning. The post also says that by doing this, the company is ignoring and may be violating the PCI-DSS norms. 

Source - Twitter

_______________________________________________________________________________________

(May 4, 2020)


Techniques used by the ransomware Maze disclosed

The new research details out the control flow flattening, along with the obfuscation techniques and opaque predicates used by a Maze loader sample. The ransomware Maze is usually seen in DLL form, and it is loaded into memory through a loader containing the encrypted DLL. 


_______________________________________________________________________________________

(May 4, 2020)

Ransomware like Maze causing 15 Days of Electronic Healthcare (EHR) Downtime

The average ransom amount paid by the organizations targeted by ransomware has jumped 33 percent to nearly $112,000 between the last quarter of 2019 and the first quarter of 2020. Ransomware like Sodinokibi, DopplePaymer, Ryuk, and Maze are causing 15 days of EHR downtime. The median ransom payment reached $44,021 in Q1, up slightly from Q4.


_______________________________________________________________________________________

(May 3, 2020)


Maze Ransomware details and attack summary

Some details about the Maze ransomware, along with a brief summary of the recent attacks, have been published. According to this, Maze ransomware had attacked the IT Giant Cognizant, but the company has not revealed any details about when and how exactly the attackers invaded the networks.

Source: Sesin

_______________________________________________________________________________________

(May 2, 2020)

Maze Ransomware Attacks Network Service Provider

Dakota Carrier Network (DCN) has suffered a Maze ransomware attack in April. Hackers had stolen some DCN administrative data and published it on the Web. But the company’s fiber-optic network was apparently not impacted by the attack.

Source - MSSPAlert

_______________________________________________________________________________________

(May 1, 2020)

Maze Ransomware attack on Cognizant may impact customers

Cognizant had admitted being targeted by Maze ransomware a few days ago, and now the company says it is in communication with its customers about the preventive measures, and sharing the indicators of compromise (IOCs) and other technical information to be used for defensive purposes. 

Source - CPOMagazine

_______________________________________________________________________________________

(May 1, 2020)

Maze Ransomware uses complex obfuscated control flow

Crowdstrike has come up with a deep technical analysis on the Maze ransomware, detailing the obfuscated control flow and IDA navigation bar of the Maze binary. It also provides information about the usage of jump instructions and the opcodes by the ransomware developers for obfuscation. 

Source - Crowdstrike

_______________________________________________________________________________________

(May 1, 2020)

Updates about how Maze ransomware targeted Hammersmith Medicines Research

In March 2020, Hammersmith Medicines Research was attacked by the Maze Team, and its data was locked out. At that time, HMR duly notified research volunteers about the breach. But the recent audit trail shows that the entire volunteer database was not accessed by the hackers. Only the visitors who had attended a screening visit were impacted by the breach.

Source - DataBreaches

_______________________________________________________________________________________

(May 1, 2020)


Maze ransomware team claim to hack Banco BCR

Maze ransomware team claim to have gained access to Banco BCR's network in Feb 2020, to gain access to the transaction system and steal 11 million credit card details. As a proof, they had posted around 240 credit card numbers (removing lasts four digits), along with expiration date and CVV numbers.


_______________________________________________________________________________________

(May 1, 2020)


Maze ransomware operators warn Banco BCR

A Tweet posted by Cyble suggests that in Feb 2020, Maze Team was able to breach the internal networks of Banco BCR, and had held over 11 million credit card credentials belonging to 140,000 US citizens. According to the Tweet, in August 2019 also, Maze Team had breached the security of Banco BCR and accessed the payment processing systems. But Banco BCR did not update their security, leading to this hack.

Source - Twitter

_______________________________________________________________________________________

(May 1, 2020)


Maze ransomware crew stole 11 Million credit cards in Feb 2020

According to a post made by the user ‘Under the Breach’, during the month of Feb 2020, Maze ransomware group had stolen 11,000,000 credit cards, 4,000,000 of which were unique. Out of these, 140,000 records belong to US citizens.

Source - Twitter 

_______________________________________________________________________________________

(April 27, 2020)

More IOCs for Maze ransomware disclosed by a researcher 

A Twitter user with the handle ‘@surajeet_ghosh’ has posted some Indicator of Compromise (IOCs) related to Maze ransomware. These IOCs include MD5 hash and few URLs related to the Maze ransomware.

Source - Twitter

_______________________________________________________________________________________

(April 29, 2020) 


Detailed technical analysis of Maze ransomware

A detailed technical analysis of the Maze ransomware has been published. It provides a telemetry map of recently targeted victim countries and also shows how Maze developers are disabling disassemblers and using pseudocode plugins to make the analysis yet more complex. It also covers IOCs and Yara rules to detect and prevent Maze attacks.

Source - Marketerintel
_______________________________________________________________________________________

(April 29, 2020)


Maze and other ransomware strikes more healthcare organizations

The King of Prussia, PA-based pharmaceutical company ExecuPharm recently disclosed that it had experienced a Maze ransomware attack in March. Some company information, as well as the personal data of employees, has also been accessed and exfiltrated by the attackers. Besides, Brandywine Counselling and Community Services in Delaware and the Parkview Medical Center in Pueblo, Colorado, were also impacted by unknown ransomware attacks.

Source - Hipaajournal
_______________________________________________________________________________________

(April 28, 2020)


How to reduce ransomware risk - Microsoft Threat Protection Intelligence Team 

Microsoft Threat Protection Intelligence Team provided an analysis of various active ransomware threats, including Maze. It also suggests some immediate response actions to be taken by organizations during active attacks, and ways of developing security hygiene to defend networks against human-operated ransomware.

Source - Microsoft

_______________________________________________________________________________________

(April 28, 2020)


Ransomware payments increase by 33% in Q1 2020, as Maze and Sodinokibi proliferate

Cyber attack trends from the first quarter of 2020 indicate that spam attacks related to the COVID-19 outbreak have led to an increase in ransomware attacks across the board. The average ransom payment has increased by 33%. Maze, Sodinokibi, DopplePaymer, and Mespinoza were among the top ransomware variants that exfiltrated data regularly. 

Source - Coveware

_______________________________________________________________________________________

(April 28, 2020)

CERT-In issues warning over the ‘Maze’ ransomware

The Indian Computer Emergency Response Team (or CERT-In) recently issued a warning about the Maze ransomware. According to CERT-In, emails and exploit kits are the common delivery methods for ransomware, and it also provided guidelines for preventing the attack from such ransomware attacks.

Source - Sakaltimes

_______________________________________________________________________________________

(April 28, 2020)

Maze ransomware poses 3x risk to businesses

Traditional ransomware locks down the target victim’s data, impacting only the data availability. But the Maze ransomware poses a triple risk, threatening the Availability, Confidentiality, and Integrity, which are the three most important principles of data protection. 
Source - Cyberhoot

_______________________________________________________________________________________

(April 27, 2020)


Maze ransomware a significant threat to healthcare

Maze ransomware is turning out to be a significant factor in healthcare attacks. So far, the Maze attacks on the healthcare sector have been observed only through pandemic-related phishing emails, targeting victims via malicious attachments. Interpol has advised to healthcare service providers around the world about threats of Maze attacks.

Source - Barracuda

_______________________________________________________________________________________

(April 27, 2020)


New IOCs for Maze ransomware disclosed by a researcher 

A Twitter user with the handle ‘@surajeet_ghosh’ has posted some Indicator of Compromise (IOCs) related to Maze ransomware. These IOCs include MD5 file hashes and IP Addresses associated with the Maze ransomware.

Source - Twitter 

_______________________________________________________________________________________

(April 27, 2020)


Details about Maze ransomware attacks revealed

A report has been published, providing information about the recent attacks by Maze ransomware. Besides the details about the attack, the report also provides some IOCs related to the Maze ransomware.

Source - ITCSecure

_______________________________________________________________________________________

(April 24, 2020)

Cognizant hit by Maze ransomware - Deep technical analysis

CyberInt has released a detailed report with key findings, technical analysis, and Mitre Mappings for the Maze Ransomware’s attack on Cognizant last Friday. Technical analysis includes details about all the files and DLLs used by cybercriminals during the attack, along with their IOCs.

Source - Cyberint

_______________________________________________________________________________________

(April 23, 2020)

Detailed guidelines for defending against Maze ransomware 

Quick Heal Technologies Ltd. has come up with a guidebook for prevention against the deadly Maze ransomware. Besides the guidelines for patching against the targeted vulnerabilities in IE and Adobe Flash player, it also points out the precautionary measures for users & privileges security, network, and shared folder security, email security, secure browsing, backups as well as employee training.

Source - Quickheal

_______________________________________________________________________________________

(April 23, 2020)

Some employees of Cognizant lost email access after Maze attack

Cognizant’s internal directory was deleted after the Maze ransomware attack, leading to a communications loss inside and outside the company, limiting some workers from contacting customers. Following the attack, the software used to communicate across its system was cut off, leaving sales teams with no means of communicating customers, and customers with no means of reaching sales teams.

Source - CRN

_______________________________________________________________________________________

(April 23, 2020)

New IOC hashes of Maze ransomware revealed

An Alien Vault portal user with the handle ‘nsmteam’ has posted Indicator of Compromise (IOCs) related to Maze ransomware. These IOCs include MD5 file hashes, that were posted on the Alien Vault portal.

Source - Alien Vault  

_______________________________________________________________________________________

(April 23, 2020)

Known URLs of Maze ransomware disclosed

An Alien Vault portal user with the handle ‘nsmteam’ has posted Indicator of Compromise (IOCs) related to Maze ransomware. These IOCs include URLs, that were posted on the Alien Vault portal.

Source - Alien Vault  

_______________________________________________________________________________________

(April 23, 2020)

Maze ransomware was lurking in Cognizant networks for weeks

Maze hit IT services provider Cognizant last week, but it's likely the malware was lurking in the networks for weeks. While an investigation is underway, there's no way of knowing whether Maze's operators will publish stolen files. The liability of a data breach is dangling over Cognizant and its clients.

Source - CioDive

_______________________________________________________________________________________

(April 22, 2020)

Maze Group targets 12 new victims 

As per a Twitter post by the user ‘Under the Breach’, Maze ransomware group has updated his website with 12 new victims, mostly insurance companies. The victims, according to the Twitter posts, include US Administrator Claims, LLC, RCSOnlinePrograms, Madison Insurance Group, Jackson Plaza, Applied Underwriters, Inc. American Builders Insurance Company, Appalachian Underwriters, AEGPEO, AIC Underwriters, LLC, Accident Insurance Company, Inc., and 1itp. 

Source - Twitter

_______________________________________________________________________________________

(April 22, 2020)

Prediction on Maze Ransomware-Hosting Infrastructure

Some new IOCs have been revealed, which are thought to be associated with the Maze Ransomware. These are suspected to be used by the Threat Actor TA2101 for recent attacks

Source - Alienvault

_______________________________________________________________________________________

(April 21, 2020)

Defending Against Maze Ransomware

Cyber Security company Seqrite recently released a detailed guide about prevention from Maze ransomware. It covered the use of exploit kits (Fallout EK, Spelevo EK) as well as some Adobe Flash player and Internet Explorer vulnerabilities (e.g. CVE-2018-8174, CVE-2018-4878, and CVE-2018-15982).

Source - Seqrite

_______________________________________________________________________________________

(April 21, 2020)

Cognizant still assessing the damage due to Maze attack

Cognizant said that it is still working with third-party security consultants and law enforcement officials to assess the damage done by the ransomware attack on Friday. In the early stages of assessment, they have shared the available indicators of compromise and other technical information of a defensive nature with the assessing officers.

Source - InfoRiskToday

_______________________________________________________________________________________

(April 21, 2020)


Maze ransomware Command and Control Services identified

An Alien Vault portal user with the handle ‘nsmteam’ has posted Indicator of Compromise (IOCs) related to Maze ransomware. These IOCs include the command and control (C2) servers, that were posted on the Alien Vault portal.

Source - Alien Vault  

_______________________________________________________________________________________

(April 21, 2020)


Maze ransomware attack on Cognizant’s may affect its revenue

The ransomware attack on Cognizant can affect its revenue and going to cause disruption in parts of its business process. Many experts believe that attackers behind Maze ransomware trying to gain backdoor access to the MSPs so they can benefit more by asking big ransom.


_______________________________________________________________________________________

(April 20, 2020)

Maze Ransomware Update: Extorting and Exposing Victims

In a recent attack on Cognizant, Maze campaign included a signed DLL payload (kepstl32.dll), and dropped a copy of the ransom instructions “DECRYPT-FILES.txt”. Maze ransomware then deletes the shadow copies via WMIC.exe. Relevant Digital Signature details were also revealed in the report. 

Source - Sentinelone

_______________________________________________________________________________________

(April 19, 2020)

McAfee provides insights and IOCs for Maze ransomware

McAfee has released a detailed analysis of Maze ransomware. The security firm released a blog, with a detailed analysis of recent samples related to the Maze ransomware along with all indicators of compromise, and recommendations to help protect the network environment.

Source - Mcafee

_______________________________________________________________________________________

(April 19, 2020)

Maze operators are continuously using the same PDB string

A tweet by security researcher Vitali Kremez disclosed that operators behind the Maze ransomware continue to use the PDB string as messages with the Cognizant signed loader DLL variant. The signed DLL is mocked as: “Digital Cert->[GO ONLINE d.o.o.] #Sectigo.” Along with this DLL, the associated sample PDB string message ("C:\Wuhan\lab\coronashit.pdb") was also revealed.

Source - Twitter

_______________________________________________________________________________________

(April 18, 2020)

The same PDB string was used by Maze ransomware in earlier COVID-19 related attack

The malware sample used in the Cognizant attack was having a PDB string message as follows: "C:\Wuhan\lab\coronashit[.]pdb." This PDB string was signed by the same signer who used to sign other samples too, which were related to "Suspicious COVID 19 maps - hacked sites." The signed Maze dll sample kepstl32[.]dll was also uploaded by the researcher.

Source - Twitter

_______________________________________________________________________________________

(April 18, 2020)

Cognizant hit by 'Maze' ransomware attack

Cognizant Technology Solutions Corp said that it was hit by a “Maze” ransomware cyberattack, resulting in service disruptions for some of its clients. When first reported, the Maze operators had denied responsibility for the cyberattack. But it is assumed that the Maze operators are likely not discussing it at this early stage to avoid complications during the potential ransom repayment.


_______________________________________________________________________________________

(April 18, 2020)

MalwareHunterTeam reveals cyberattack on Cognizant

Security Researcher Vitali Kremez’s Twitter account (@VK_Intel) posted an alert regarding ransomware attack carried out by the Maze group possibly affecting the IT giant Cognizant. A Github repository link with YARA rules was attached to the tweet. The tweet mentioned remote services as an attack vector used by cybercriminals behind Maze ransomware.

Souce - Twitter

_______________________________________________________________________________________

(April 18, 2020)

MalwareHunterTeam reports phishing attack on Cognizant’s employee

On Feb 1, 2020, the Twitter account of MalwareHunterTeam posted a tweet saying that one of the employees of Cognizant Technology Solutions Corp. had fallen victim to a phishing attack. The MalwareHunterTeam also suggested the employees check out the “I Got Phished” service. 

Source - Twitter

_______________________________________________________________________________________

(April 18, 2020)

MalwareHunterTeam’s reminder to Cognizant

On 14 Feb 2020, another tweet was published MalwareHunterTeam, talking about no handler being assigned on ‘I Got Phished’ for Cognizant. Soon after this second tweet, someone from Cognizant registered and got the information about someone getting targeted and hacked via Phishing Attack.

Source - Twitter

_______________________________________________________________________________________

(April 14, 2020)

Maze ransomware targets two Manitoba law firms

Two unnamed law firms in Manitoba province in Canada were targeted by the Maze ransomware attack. Work at these two Manitoba law firms was put on standstill after cyberattacks left their staff without access to their computer systems, locking out digital files, emails and data backups.

Source - CBC

_______________________________________________________________________________________

(April 8, 2020)

Hammersmith Medicines Research’s info leaked by Maze operators

Hammersmith Medicines Research LTD (HMR), the drug testing firm based in London, disclosed that it was hit by Maze ransomware. The Maze group published some of the stolen files on their “leak site,” after the research firm refused to pay the ransom. The stolen data contained the personal details of volunteers who surnames start with D, G, I, or J. 


_______________________________________________________________________________________

(April 6, 2020)

Groupement Berkine attacked by Maze ransomware

A Petroleum products company, Groupement Berkine, said that it became a victim of Maze ransomware attack on April 1, 2020. The cybercriminals behind this attack were able to steal the entire database including over 500 MB of confidential documents linked to budgets, production quantities, organizational strategies, and other data.

Source - HackRead

_______________________________________________________________________________________

(April 1, 2020)

The ‘Affordacare Urgent Care Clinic’ hit by Maze ransomware

A network of medical providers based in Texas, Affordacare Urgent Care Clinic, disclosed a combination of a data breach and ransomware attacks that exposed sensitive information. The ransomware behind this attack was Maze, and attackers had also leaked the stolen documents containing the patient info.

Source - ScMagzine

_______________________________________________________________________________________

(March 23, 2020)

COVID-19 Vaccine Test Center targeted By Cyber Attack

Hammersmith Medicines Research, a medical facility on standby to help test any coronavirus vaccine has been hit by a ransomware group that promised not to target medical organizations. The criminals behind the Maze ransomware attacks have struck again, stealing data from a victim and then publishing it online to get them to pay the ransom demanded.

Source - Forbes

 Tags

maze ransomware

Posted on: April 20, 2020

Get the Cyware Blog delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!