Security advisories | Apr 21, 2020

Maze Ransomware

THE THREAT

Ransomware campaigns are continuing through the COVID-19 period, with notable activity from the Maze ransomware group. The Maze ransomware actors use a variety of techniques to gain access to organizations; once admin privileges are achieved the groups exfiltrates information and deploy the maze ransomware. The potential damage of ransomware is even higher than during standard periods as many businesses cannot switch to manual operations due to the COVID-19 move to remote workforces.

Maze first emerged in late May 2019 and was the first major ransomware group to announce data theft and exposure in cases where the ransom was not paid. Organizations are recommended to take proactive steps to prevent the delivery and spread of ransomware on corporate networks and assets. 

What we’re doing about it

  • Known Maze infrastructure has been added to the eSentire Global Blacklist
  • Known Maze related hashes have been checked against all esENDPOINT clients
  • esNETWORK rules are in place to detect activity related to Maze ransomware
  • esENDPOINT rules are in place to detect Maze ransomware and offer generic ransomware detection

What you should do about it

  • Apply the practice of least privilege and ensure that only required users have administrator privileges
  • Ensure that all browsers are up to date
  • If remote desktop connection (RDP) is not actively required, consider disabling the service or limiting access
  • Disable all Macros. If this is not possible, only allow macros from controlled/trusted sources [1]

Additional information

On April 18th, 2020, the IT services firm Cognizant was infected with Maze ransomware [2]. Cognizant employs nearly 300,000 people and has clients in over eighty different countries. At this time, it is unclear what ransom has been demanded or whether any information was ex-filtrated prior to ransomware deployment. 

Maze ransomware has historically seen success with various victims ranging from law firms to oil companies. Part of this success is likely due to the varying delivery methods used by the Maze ransomware actors. Past Maze infections have been traced back to exploit kits, unsecured remote desktop connections, impersonation emails and compromised email accounts via malicious Word documents. 

For additional technical details relating to Maze ransomware, see the report Ransomware Maze by Alexandre Mundo [3]. 

References:

[1]  https://support.office.com/en-us/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6

[2] https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/

[3] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/