Maze ransomware: all you need to know

What is Maze ransomware

Maze was originally known as ChaCha. What was seen as a standard piece of ransomware, over a period of six months eventually evolved into the much more potent form known as Maze.

Maze first reared its head in 2019 and is a particularly sophisticated and complex piece of ransomware. It also specifically targets Windows-operated systems. The calling sign of ransomware is to encrypt a victim’s files and demand a monetary ransom for safe access to the documents. Maze, however, goes a step further.

How Maze ransomware works

Maze is typically distributed via email phishing or spear phishing attack. The email will often be named something unsuspicious but enticing enough for a victim to click it. The email might even be accompanied by a message to further convince the victim of the file’s legitimacy.

Once the file has been opened, Maze gets to work. It finds its way to the Windows program Active Directory, which lists all the computers connected to the network. Now that it has this information, it can spread further, guaranteeing that the impact of its ransom is far-reaching and impossible to ignore. This process can take several days as the hackers use Maze to spot vulnerabilities in the system.

Before Maze activates its ransomware and makes itself known, it needs to secure backdoors. This ensures that if Maze were to be removed, the hackers have a quick way to get back in and continue the attack. As Maze moves through a network, it will make copies of all the files a hacker deems important enough to hold ransom.

Once the victim is made aware of the ransomware, the attack is two-fold. While the hackers will demand a cryptocurrency ransom to decrypt the files, that same data is being uploaded to a site located on the dark web. A further ransom could be demanded to delete the public data.

What is a Maze ransomware website?

The Maze ransomware site was created by the group that spawned the notorious malware in the first place, and could only be found on the dark web. The group used their site both to communicate with victims and clients, as well as to post the data it stole. The data was proof of their attacks, and was also shared with whoever wanted to misuse it. By sharing the data, the Maze ransomware group could escalate a standard ransomware attack into a full-blown data breach.

In late 2020, the Maze group announced on its site that it would cease all attacks. Ransomware groups like to claim an end to their attacks only to rebrand themselves with a different name and restart the attacks several months later. Two new pieces of malware have emerged in recent months – Egregor and Sekhmet – and they have more than a passing resemblance to Maze.

Most known Maze ransomware attacks

Cognizant

Cognizant is one of the largest suppliers of IT services worldwide. In April of 2020, Cognizant’s internal systems were attacked by Maze, forcing the company to temporarily shut down parts of its service in an attempt to mitigate damage and further data theft. Cognizant never revealed the full extent of the damage, but it initially cost the company between $50 million to $70 million.

Canon

In August of 2020, Maze took aim at Canon’s cloud storage app, image.canon. In the wake of the attack, Canon suspended use of the mobile app and browser services. The attack targeted the ten gigabytes of storage space provided to every user by image.canon. The perpetrators claimed to have stolen upwards of ten terabytes of user data, although they never provided proof of those numbers.

Xerox

Xerox, the printing company, was targeted with Maze ransomware in July 2020. The hackers behind the attack claimed to have gained access to a large amount of company and customer data, and threatened to leak it unless a ransom was paid. While it is hard to determine how much Xerox cooperated with these demands, it seems that the hackers went on to publish at least some of the stolen data on the internet.

Pensacola, Florida attack

In 2019, the city of Pensacola, Florida was attacked by Maze ransomware operators. The perpetrators demanded $1 million, threatening to leak 32GB of sensitive data if the money wasn’t paid. To prove that they weren’t bluffing, the hackers leaked 2GB of the stolen data, as proof of the attack. As is often the case in attacks like this, we cannot confirm whether the city paid the ransom or not but, based on the official advise from the FBI, it is likely they did not.

Hammersmith Medicines Research

Hammersmith Medicines Research was revealed to have been the victim of a massive attack in March of 2020. The timing of the attacks couldn’t have been worse because Hammersmith Medicines was about to start clinical trials for a Covid-19 vaccine. The researchers refused to pay the ransom. The personal details of some workers were leaked. The attack came just days after Maze publicly promised on its site that it would not attack medical facilities during the pandemic.

How to protect yourself from Maze ransomware

Maze ransomware is hard to get rid of once the infection has already set in. When it comes to malware like Maze, prevention is often the best form of defense. Here’s how you can reinforce your cybersecurity and make it hard for hackers to utilize Maze against your systems.

• Keep all software up to date. Hackers rely on the negligence of users. If you happen to be running an older version of software, it could mean some security loopholes have yet to be patched.
• Change default login credentials. This process is sometimes overlooked when you are setting up a new system. Tech-savvy criminals will know the default logins that most operating systems use. Utilize a reliable password manager for even better protection.
• Use two-factor authentication. This effectively doubles your current login security. By forcing hackers to rely on a second, unknown form of identification, you’ll force many of them to give up and look for easier targets.
• Backup your data. If you’re ever the victim of a ransomware attack, you might have to delete some files to clear away the infection. By keeping regular backups, you’ll minimize the damage should you be attacked.
• Use a virtual private network. By activating a VPN before accessing a network or system, you’re adding an extra layer of encryption for a hacker to break through.