Origin: May 2019
Alias: ChaCha Ransomware, FileRepMalware, Win32/Filecoder.NVY, Trojan-Ransom.Win32.Gen.tno
Infection Vectors: Spelevo EK, Fallout EK, Spam Emails
Attack Sector: Real Estate, Enterprise Services, Manufacturing, Information Technology, Government
Targeted Region: Eastern and Western Europe, North America
Motive: Ransom, Data Theft
Threat Level: High
Maze is a strain of ransomware that was first spotted in an attack campaign targeting Italian-speaking users in October 2019. However, the earliest infection of this ransomware, which is a variant of the ChaCha ransomware, can be tracked to early-2019. Systems infected with this ransomware cannot access their data or files, because it encrypts files and locks them until a ransom is paid. Originally, Maze was seen as a typical data-encrypting ransomware and behaved like one, but later it evolved into more elaborate extortion campaigns. Since October 2019, Maze has become increasingly more aggressive and more widespread. So far in 2020, the ransomware has continued to make headlines with a string of high-profile cyberattacks, including a number of law firms, the city of Pensacola, FL., a large US staffing company (Allied Universal), a Fortune 500 company (Cognizant), French industrial giant “Bouygues Construction” and others.
Maze ransomware is typically delivered or spread via spam emails and exploits kits (such as Fallout and Spelevo).
- In May 2019, it was observed spreading via Fallout exploit kit using a fake site pretending to be a cryptocurrency exchange app. The attackers designed a fake Abra cryptocurrency site to buy traffic from ad networks. Visitors to this site were redirected to the exploit kit landing page under certain conditions and got infected.
- Later, in October 2019, Spelevo exploit was used to infect victims that exploited a Flash Player ‘use-after-free’ vulnerability. The attack campaign was redirecting users to the Spelevo exploit kit, which utilized the critical "CVE-2018-15982" vulnerability in the browser, with users of Flash Player versions 18.104.22.168 / 22.214.171.124 and earlier. Upon successful exploitation or infection, the exploit kit automatically downloaded and installed the Maze ransomware payload via arbitrary code execution.
- A month later, a new attack campaign from a new threat actor, "TA2101", was seen targeting German organizations and companies to deliver and install backdoor malware along with Maze ransomware. Hundreds of spam emails were used to deliver malicious Microsoft Word attachments with German lures impersonating the German Federal Ministry of Finance and Federal Central Tax Office.
After the typical ransom tactic of infecting and targeting organizations around the world, the operators behind this ransomware started leaking the data online for those who did not pay the ransom. They began to threaten the victims to pay the ransom, or their sensitive data would be exposed online.
- In November 2019, after a deadline was missed for receiving a ransom payment, criminals behind Maze ransomware had leaked almost 700 MB worth of data, and files that were stolen from the security staffing firm "Allied Universal."
- The same thing happened in the case of Southwire (a leading wire and cable manufacturer from Carrollton, GA), where a ransom demand of 850 bitcoins ($6 million) was not paid, and the criminals leaked a portion (around 14GB out of 120GB) of their stolen data on a "news" site they created.
Maze ransomware uses 2048 bit Rivest-Shamir-Adleman (RSA) and the ChaCha20 stream cipher to encrypt individual files. It adds different extensions to the files during the encryption process. It then changes the user's desktop wallpaper to a message about the encrypted files and the file name of the dropped ransom note.
- A notable feature of Maze ransomware is that it sets the ransomware amount based on the type of device it detects. This is uncommon among other types of ransomware.
- Maze operators have used the following labels to indicate the user's computer type in the wallpaper message: standalone server or in a corporate network, workstation in a corporate network, home computer, primary domain controller, backup server, etc.
When it infects home workstations, it encrypts files, alters them by adding a random extension (for example, "one.jpg" file will become "one[.]jpg.sA16PA"), creates the "DECRYPT-FILES[.]txt" file, and also changes the desktop wallpaper. The modified wallpaper includes a ransom message stating that the victim's files have been encrypted using RSA-2048 and ChaCha encryption algorithms. The only way to decrypt them is to purchase a decryptor by following instructions provided in the "DECRYPT-FILES[.]txt" text file (a ransom message).
- The message shows that the infected victims must pay the ransom using a website link, which can be opened with only the Tor browser. The Tor website informs the victim that they must pay $500 in Bitcoins using the BTC wallet address provided.
- Another way to make payment is to use another website (the link included in a ransom message), which can be opened with any web browser. It is also mentioned that, unless the victims pay the ransom within a particular time frame (a countdown timer is shown at the top of the Tor web page), the size of the ransom will be doubled.
- It is possible to unlock three files free of charge using the same website to prove that criminals have a valid decryption key. However, the ransom demand varies when it infects big organizations or enterprises where its ransom demand goes up to $1 million.
- In December 2019, a Georgia-based wire and cable manufacturer "Southwire" was attacked, and after five days for not paying the $6 million ransom, the criminal group leaked the data online.
- The same month, they also targeted the City of Pensacola's finance, executive, treasury, risk management, housing, legal, and human resources departments for ransom.
- In January 2020, the Maze cybercriminal group targeted a London-based company London Offshore Consultants. The criminal group claimed that 300GB of information was stolen from London Offshore Consultants (LOC) Group, and some of it was leaked online to force LOC Group to pay a ransom.
- Just a month later, in February, Maze ransomware attacks targeted five law firms and a French industrial giant "Bouygues Construction." The French firm released a brief statement admitting a "ransomware-type virus" was detected on its network. The group charged the firm twice, as it asked for $1 million for the decryption key and another $1 million for the 'deletion' of data they stole.
- In March 2020, a cybersecurity insurance provider for businesses known as “Chubb” was targeted and their data was also stolen.
- In April 2020, the American multinational corporation “Cognizant,” was targeted by Maze in an attack that resulted in service disruptions. In the same month, the Maze ransomware also targeted the Canadian accounting firm “MNP”, the London-based medical center Hammersmith Medicines Research, Texas-based Affordacare Urgent Care Clinic, Groupement Berkine, as well as two law firms in Manitoba.
At present, there is no decryption tool or software available for Maze ransomware. Organizations should follow strong cybersecurity practices to prevent or stop the infection. Users should frequently update their browsers and plugins with the latest security and vulnerability patches. Since this malware spreads via exploit kits, users should install and use anti-malware and ad-blocker software to stop the distribution of EKs via malicious advertising. To prevent infection from spam email, deploy powerful email security software that can detect or spot malicious Word attachments embedded with macros. Also, make a habit of routine data backup, being sure to back up important files and data in a timely manner so they can be used to restore lost data in the event of a ransomware infection like Maze.
Indicators of Compromise
Associated File Names
Associated Email Addresses
April 2020 (Indicators of Compromise)
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server subkey fDenyTSConnections
a2d631fcb08a6c840c23a8f46f6892dd, Name: “Cure[.]doc”
2fbd10975ee65845a18af6b7488a5236, Name: “USPS_Delivery[.]doc”
ee26e33725b14850b1776a67bd8f2d0a , Name: R19340003422[.]doc
2fbd10975ee65845a18af6b7488a5236 , Name: USPS_Delivery[.]doc
a2d631fcb08a6c840c23a8f46f6892dd , Name: Cure[.]doc
ad30987a53b1b0264d806805ce1a2561 , Name: VERDI[.]doc
53d5bdc6bd7904b44078cf80e239d42b , Name: VERDI[.]doc
Loaders - wordupd[.]tmp
Loaders - Other
IP Addresses (Dropper)