Awareness of Maze Ransomware Attack - Reduce the Risk

Page 1

Maze Ransomware

Overview Like all ransomware the main goal of the Maze is to encrypt all files that it can in an infected system and then demand a ransom to recover the files. However there are things that are not so common to Maze Ransomware that we need to know about 1. Discovered on May the 29th 2019 by Jerome Segura. [​Malware Wiki​] 2. Attacker threatens the victims that; if they do not pay, they will release the information on the Internet. Maze’s operators have created a dedicated web page, which lists the identities of their non-cooperative victims and regularly publishes samples of the stolen data. Maze has since published the details of dozens of companies.

3. Indicator Of Compromise (IOCs) that one of the recent victim has provided included the IP addresses of servers associated with the kepstl32.dll, memes.tmp and maze.dll files, which are known to be used previously in Maze ransomware attacks. Hence it is suspected that they could do targeted attacks unlike wanacry which was designed to spread by exploiting Eternal Blue vulnerability. 4. As with many types of ransomware, there is an offer to decrypt three images for free and that service has been verified as working, which shows the proof of decryption to lure the victim.

A Brief Technical Details 1. The PEB field “IsDebuggerPresent”. This field is a Boolean field that is filled from Windows with 1 (True) if the application is running inside of a debugger or 0 (False) if it is not. If the malware detects a debugger it will remain in an infinite loop without making anything while wasting system resources. 2. It can terminate IDA debugger, x32dbg, OllyDbg and more processes to avoid dynamic analysis, close databases, office programs and security tools 3. The malware tries to delete the shadow volumes in the system using the “wmic.exe” program with the switches “shadowcopy” and “delete”. Prior to this, the malware gets the function of If you have any queries or help please feel free to contact us IARM Information Security Pvt Ltd

| https://www.iarminfo.com | info@iarminfo.com


Maze Ransomware “WoW64DisableWow64FsRedirection” with “GetProcAddress” and uses it to avoid redirection by default in 64-bit operating systems and calls it in a dynamic way. 4. The malware tries to delete the shadow copies two times, once before encrypting the files in the infected system and secondly after crypting them. 5. The malware uses two algorithms to encrypt the files, ChaCha which is based on the Salsa20 algorithm that is symmetric and, for protection, an RSA algorithm that is asymmetric. 6. In each execution the malware creates a Public BLOB of one RSA key that will be used to crypt the part that holds the information to decrypt the files, and one Private BLOB with an RSA key that allows decryption of the information encrypted with the public RSA blob created previously. For detailed information. [​Ransomware Maze - Blog - By McAfee​]

Point of intrusion This Ransomware is known to spread via email attachments by using (spoofing) well known and trusted domain names

Recommendation 1. Notify end users to avoid opening any suspicious emails and open attachments from unknown sender/source. The same goes for links in emails 2. Update latest security Patch for all devices and OS 3. Highly recommend to Implement SIEM tool and track security events 4. Update latest Anti-Virus signature 5. Disable macros in Office programs and never enable them unless it is essential to do 6. Backup all critical files using 3-2-1 rule. 3 backup copies on 2 different media with 1 backup in a separate location 7. Disable RDP. If your organization must use RDP, avoid exposing it to the public internet. Only devices on the LAN or accessing via VPN, should be able to establish a remote session

For Security Operation Center MITRE ATT&CK TIDs These tactic ids provide stages of an attack that resembles the Maze and similar ransomware, it is highly recommended to include it in SIEM and Log Analysis if these services are not being monitored. TID

Tactic

Description

T1082

Discovery

System Information Discovery​: It will gather computer information (e.g OS version, computer name)

T1043

Command and Control

Commonly Used Ports​: It will reach out to C2s over 80

T1486

Impact

Data Encrypted for Impact: ​Ransomware encrypts file and then demands a ransom to be paid for decrypting the file

T1107

Defense Evasion

File Deletion​: Shadow Copy Deletion by WMIC

If you have any queries or help please feel free to contact us IARM Information Security Pvt Ltd

| https://www.iarminfo.com | info@iarminfo.com


Maze Ransomware

Indicators of Compromise (IOCs) Indicator

Type

Context

e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684

SHA256

Maze Ransomware

f83fb9ce6a83da58b20685c1d7e1e546

MD5

Maze Ransomware

hxxp://92[.]63[.]8[.]47 hxxp://92[.]63[.]32[.]2 hxxp://92[.]63[.]37[.]100 hxxp://92[.]63[.]194[.]20 hxxp://92[.]63[.]17[.]245 hxxp://92[.]63[.]32[.]55 hxxp://92[.]63[.]11[.]151 hxxp://92[.]63[.]194[.]3 hxxp://92[.]63[.]15[.]8 hxxp://92[.]63[.]29[.]137 hxxp://92[.]63[.]32[.]57 hxxp://92[.]63[.]15[.]56 hxxp://92[.]63[.]11[.]151 hxxp://92[.]63[.]32[.]52 hxxp://92[.]63[.]15[.]6

If you have any queries or help please feel free to contact us IARM Information Security Pvt Ltd

| https://www.iarminfo.com | info@iarminfo.com


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.