Malware Profile

Origin

Propagation Method

• In May 2019, it was observed spreading via Fallout exploit kit using a fake site pretending to be a cryptocurrency exchange app. The attackers designed a fake Abra cryptocurrency site to buy traffic from ad networks. Visitors to this site were redirected to the exploit kit landing page under certain conditions and got infected. 
• Later, in October 2019, Spelevo exploit was used to infect victims that exploited a Flash Player ‘use-after-free’ vulnerability. The attack campaign was redirecting users to the Spelevo exploit kit, which utilized the critical "CVE-2018-15982" vulnerability in the browser, with users of Flash Player versions 31.0.0.153 / 31.0.0.108 and earlier. Upon successful exploitation or infection, the exploit kit automatically downloaded and installed the Maze ransomware payload via arbitrary code execution. 
• A month later, a new attack campaign from a new threat actor, "TA2101", was seen targeting German organizations and companies to deliver and install backdoor malware along with Maze ransomware. Hundreds of spam emails were used to deliver malicious Microsoft Word attachments with German lures impersonating the German Federal Ministry of Finance and Federal Central Tax Office.

• In November 2019, after a deadline was missed for receiving a ransom payment, criminals behind Maze ransomware had leaked almost 700 MB worth of data, and files that were stolen from the security staffing firm "Allied Universal." 
• The same thing happened in the case of Southwire (a leading wire and cable manufacturer from Carrollton, GA), where a ransom demand of 850 bitcoins ($6 million) was not paid, and the criminals leaked a portion (around 14GB out of 120GB) of their stolen data on a "news" site they created. 

Technical Info

• A notable feature of Maze ransomware is that it sets the ransomware amount based on the type of device it detects. This is uncommon among other types of ransomware. 
• Maze operators have used the following labels to indicate the user's computer type in the wallpaper message: standalone server or in a corporate network, workstation in a corporate network, home computer, primary domain controller, backup server, etc.

• The message shows that the infected victims must pay the ransom using a website link, which can be opened with only the Tor browser. The Tor website informs the victim that they must pay $500 in Bitcoins using the BTC wallet address provided. 
• Another way to make payment is to use another website (the link included in a ransom message), which can be opened with any web browser. It is also mentioned that, unless the victims pay the ransom within a particular time frame (a countdown timer is shown at the top of the Tor web page), the size of the ransom will be doubled. 
• It is possible to unlock three files free of charge using the same website to prove that criminals have a valid decryption key. However, the ransom demand varies when it infects big organizations or enterprises where its ransom demand goes up to $1 million.

Recent Incidents

• In December 2019, a Georgia-based wire and cable manufacturer "Southwire" was attacked, and after five days for not paying the $6 million ransom, the criminal group leaked the data online. 
• The same month, they also targeted the City of Pensacola's finance, executive, treasury, risk management, housing, legal, and human resources departments for ransom. 
• In January 2020, the Maze cybercriminal group targeted a London-based company London Offshore Consultants. The criminal group claimed that 300GB of information was stolen from London Offshore Consultants (LOC) Group, and some of it was leaked online to force LOC Group to pay a ransom. 
• Just a month later, in February, Maze ransomware attacks targeted five law firms and a French industrial giant "Bouygues Construction." The French firm released a brief statement admitting a "ransomware-type virus" was detected on its network. The group charged the firm twice, as it asked for $1 million for the decryption key and another $1 million for the 'deletion' of data they stole. 
• In March 2020, a cybersecurity insurance provider for businesses known as “Chubb” was targeted and their data was also stolen. 
• In April 2020, the American multinational corporation “Cognizant,” was targeted by Maze in an attack that resulted in service disruptions. In the same month, the Maze ransomware also targeted the Canadian accounting firm “MNP”, the London-based medical center Hammersmith Medicines Research, Texas-based Affordacare Urgent Care Clinic, Groupement Berkine, as well as two law firms in Manitoba.

Prevention

Indicators of Compromise