Maze Ransomware
Overview Like all ransomware the main goal of the Maze is to encrypt all files that it can in an infected system and then demand a ransom to recover the files. However there are things that are not so common to Maze Ransomware that we need to know about 1. Discovered on May the 29th 2019 by Jerome Segura. [Malware Wiki] 2. Attacker threatens the victims that; if they do not pay, they will release the information on the Internet. Maze’s operators have created a dedicated web page, which lists the identities of their non-cooperative victims and regularly publishes samples of the stolen data. Maze has since published the details of dozens of companies.
3. Indicator Of Compromise (IOCs) that one of the recent victim has provided included the IP addresses of servers associated with the kepstl32.dll, memes.tmp and maze.dll files, which are known to be used previously in Maze ransomware attacks. Hence it is suspected that they could do targeted attacks unlike wanacry which was designed to spread by exploiting Eternal Blue vulnerability. 4. As with many types of ransomware, there is an offer to decrypt three images for free and that service has been verified as working, which shows the proof of decryption to lure the victim.
A Brief Technical Details 1. The PEB field “IsDebuggerPresent”. This field is a Boolean field that is filled from Windows with 1 (True) if the application is running inside of a debugger or 0 (False) if it is not. If the malware detects a debugger it will remain in an infinite loop without making anything while wasting system resources. 2. It can terminate IDA debugger, x32dbg, OllyDbg and more processes to avoid dynamic analysis, close databases, office programs and security tools 3. The malware tries to delete the shadow volumes in the system using the “wmic.exe” program with the switches “shadowcopy” and “delete”. Prior to this, the malware gets the function of If you have any queries or help please feel free to contact us IARM Information Security Pvt Ltd
| https://www.iarminfo.com | info@iarminfo.com
Maze Ransomware “WoW64DisableWow64FsRedirection” with “GetProcAddress” and uses it to avoid redirection by default in 64-bit operating systems and calls it in a dynamic way. 4. The malware tries to delete the shadow copies two times, once before encrypting the files in the infected system and secondly after crypting them. 5. The malware uses two algorithms to encrypt the files, ChaCha which is based on the Salsa20 algorithm that is symmetric and, for protection, an RSA algorithm that is asymmetric. 6. In each execution the malware creates a Public BLOB of one RSA key that will be used to crypt the part that holds the information to decrypt the files, and one Private BLOB with an RSA key that allows decryption of the information encrypted with the public RSA blob created previously. For detailed information. [Ransomware Maze - Blog - By McAfee]
Point of intrusion This Ransomware is known to spread via email attachments by using (spoofing) well known and trusted domain names
Recommendation 1. Notify end users to avoid opening any suspicious emails and open attachments from unknown sender/source. The same goes for links in emails 2. Update latest security Patch for all devices and OS 3. Highly recommend to Implement SIEM tool and track security events 4. Update latest Anti-Virus signature 5. Disable macros in Office programs and never enable them unless it is essential to do 6. Backup all critical files using 3-2-1 rule. 3 backup copies on 2 different media with 1 backup in a separate location 7. Disable RDP. If your organization must use RDP, avoid exposing it to the public internet. Only devices on the LAN or accessing via VPN, should be able to establish a remote session
For Security Operation Center MITRE ATT&CK TIDs These tactic ids provide stages of an attack that resembles the Maze and similar ransomware, it is highly recommended to include it in SIEM and Log Analysis if these services are not being monitored. TID
Tactic
Description
T1082
Discovery
System Information Discovery: It will gather computer information (e.g OS version, computer name)
T1043
Command and Control
Commonly Used Ports: It will reach out to C2s over 80
T1486
Impact
Data Encrypted for Impact: Ransomware encrypts file and then demands a ransom to be paid for decrypting the file
T1107
Defense Evasion
File Deletion: Shadow Copy Deletion by WMIC
If you have any queries or help please feel free to contact us IARM Information Security Pvt Ltd
| https://www.iarminfo.com | info@iarminfo.com
Maze Ransomware
Indicators of Compromise (IOCs) Indicator
Type
Context
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
SHA256
Maze Ransomware
f83fb9ce6a83da58b20685c1d7e1e546
MD5
Maze Ransomware
hxxp://92[.]63[.]8[.]47 hxxp://92[.]63[.]32[.]2 hxxp://92[.]63[.]37[.]100 hxxp://92[.]63[.]194[.]20 hxxp://92[.]63[.]17[.]245 hxxp://92[.]63[.]32[.]55 hxxp://92[.]63[.]11[.]151 hxxp://92[.]63[.]194[.]3 hxxp://92[.]63[.]15[.]8 hxxp://92[.]63[.]29[.]137 hxxp://92[.]63[.]32[.]57 hxxp://92[.]63[.]15[.]56 hxxp://92[.]63[.]11[.]151 hxxp://92[.]63[.]32[.]52 hxxp://92[.]63[.]15[.]6
If you have any queries or help please feel free to contact us IARM Information Security Pvt Ltd
| https://www.iarminfo.com | info@iarminfo.com