[Update April 20, 2020] In April 2020, Hammersmith Medicines Research, based in London, was attacked with Maze, just as it was ramping up its conversations with companies about running clinical trials for possible COVID-19 vaccines. As with other ransomware, Maze quickly infected Hammersmith’s systems, encrypting files, demanding a ransom, or, if no ransom happened, the attackers would release the company’s files on the open web.

Maze ransomware made headlines again recently with a successful and highly publicized attack on an extremely large and well-known IT services organization.

What Is It?

First discovered in late May 2019, the ransomware was originally referred to as ChaCha, due to its use of the cryptographic algorithm of the same name. However, the name Maze has been used by its creators and also appears in the ransom note.

Unlike other ransomware, there is no set ransom amount in Maze. Instead, victims need to contact the attackers to be informed of the amount, which is dependent on the number and type of systems encrypted. The text of the ransom note indicates that the attackers have gathered enough information to determine the role of the infected system. It includes the statement, “We know this computer is,” followed by one of six designations, such as “a server in a corporate network” and the generic “valuable for you.”

Maze ransomware uses several techniques to avoid analysis and detection on endpoints. The code contains a hashed list of various process names that it will terminate, including behavioral analysis tools. Other processes, such as database and productivity applications, are terminated to allow their files to be successfully encrypted. The malware will exit if it is running on a system using various Slavic languages. Some variants have also included text strings with messages directed at certain security researchers.

Three main infection vectors have been observed in Maze ransomware attacks. The first is the extremely popular vector of Microsoft Word documents containing malicious macros, resulting in the download and execution of Maze. The popularity of this vector among threat actors is due to its, relatively speaking, high success rate. In addition, the ease of customizing the content in the Word document and the email it is attached to can suit various campaigns or specific organizations. The second vector is compromising internet-facing RDP (Remote Desktop Protocol) connections utilizing poor passwords. The third vector, which has been diminishing in popularity but is still clearly effective, is the use of exploit kits, mainly Spelevo and Fallout.

Maze became more prominent in the latter part of 2019 – notably as the subject of an FBI alert released in late December 2019 – and continues that trajectory into 2020.

Most of the later Maze infections resulted in the attackers exfiltrating data from victims. They use this data to apply additional pressure on victims to pay the ransom by threatening to release the data publicly unless the ransom is paid. This is no idle threat. In November 2019 approximately 700MB of files were stolen from Allied Universal, a large facilities management company. Maze attackers told Bleeping Computer they asked for US$2.3 million in ransom. Allied Universal replied that it would pay no more than $50,000. So, the attackers released those stolen documents publicly.

Data from other Maze victims, including wire and cable manufacturer Southwire and the City of Pensacola, have also been released. In those cases, the attackers released 2GB of files out of the 32GB they claimed to have stolen. This technique has since been adopted by ransomware including Nefilim, CLOP and Sekhmet.

How Does It Propagate?

Though Maze does not contain the necessary code to self-propagate, it is capable of encrypting all attached network shares on an infected system. Maze infections generally utilize one of three main attack vectors, malicious Word documents attached to spam, poorly secured internet-facing RDP connections and exploit kits.

When/How Did BluVector Detect It?

Several recent, publicly available samples of Maze ransomware have been regression tested against BluVector’s patented Machine Learning Engine (MLE) and would have been detected an average of 71 months prior to their release.