Since 2019, Maze ransomware has terrorized the internet. From giant IT service provider Cognizant to photography company Canon, Maze ransomware attacks could target anyone and everyone. How does Maze work? Why is it so dangerous?
Maze was originally known as ChaCha. What was seen as a standard piece of ransomware, over a period of six months eventually evolved into the much more potent form known as Maze.
Maze first reared its head in 2019 and is a particularly sophisticated and complex piece of ransomware. It also specifically targets Windows-operated systems. The calling sign of ransomware is to encrypt a victim’s files and demand a monetary ransom for safe access to the documents. Maze, however, goes a step further.
Maze is typically distributed via email phishing or spear phishing attack. The email will often be named something unsuspicious but enticing enough for a victim to click it. The email might even be accompanied by a message to further convince the victim of the file’s legitimacy.
Once the file has been opened, Maze gets to work. It finds its way to the Windows program Active Directory, which lists all the computers connected to the network. Now that it has this information, it can spread further, guaranteeing that the impact of its ransom is far-reaching and impossible to ignore. This process can take several days as the hackers use Maze to spot vulnerabilities in the system.
Before Maze activates its ransomware and makes itself known, it needs to secure backdoors. This ensures that if Maze were to be removed, the hackers have a quick way to get back in and continue the attack. As Maze moves through a network, it will make copies of all the files a hacker deems important enough to hold ransom.
Once the victim is made aware of the ransomware, the attack is two-fold. While the hackers will demand a cryptocurrency ransom to decrypt the files, that same data is being uploaded to a site located on the dark web. A further ransom could be demanded to delete the public data.
The Maze ransomware site was created by the group that spawned the notorious malware in the first place, and could only be found on the dark web. The group used their site both to communicate with victims and clients, as well as to post the data it stole. The data was proof of their attacks, and was also shared with whoever wanted to misuse it. By sharing the data, the Maze ransomware group could escalate a standard ransomware attack into a full-blown data breach.
In late 2020, the Maze group announced on its site that it would cease all attacks. Ransomware groups like to claim an end to their attacks only to rebrand themselves with a different name and restart the attacks several months later. Two new pieces of malware have emerged in recent months – Egregor and Sekhmet – and they have more than a passing resemblance to Maze.
Cognizant is one of the largest suppliers of IT services worldwide. In April of 2020, Cognizant’s internal systems were attacked by Maze, forcing the company to temporarily shut down parts of its service in an attempt to mitigate damage and further data theft. Cognizant never revealed the full extent of the damage, but it initially cost the company between $50 million to $70 million.
In August of 2020, Maze took aim at Canon’s cloud storage app, image.canon. In the wake of the attack, Canon suspended use of the mobile app and browser services. The attack targeted the ten gigabytes of storage space provided to every user by image.canon. The perpetrators claimed to have stolen upwards of ten terabytes of user data, although they never provided proof of those numbers.
Hammersmith Medicines Research was revealed to have been the victim of a massive attack in March of 2020. The timing of the attacks couldn’t have been worse because Hammersmith Medicines was about to start clinical trials for a Covid-19 vaccine. The researchers refused to pay the ransom. The personal details of some workers were leaked. The attack came just days after Maze publicly promised on its site that it would not attack medical facilities during the pandemic.
Want to read more like this?
Get the latest news and tips from NordVPN.
Maze ransomware is hard to get rid of once the infection has already set in. When it comes to malware like Maze, prevention is often the best form of defense. Here’s how you can reinforce your cybersecurity and make it hard for hackers to utilize Maze against your systems.