What is Maze ransomware?

Maze, a strain of ransomware, has been affecting organizations since 2019. While Maze was initially created by one main group, it has been utilized by multiple attackers for extortion purposes.

In addition to encrypting data, Maze operators typically make copies of the encrypted data and threaten to expose it unless a ransom is paid. This dual impact of Maze ransomware combines the detrimental consequences of traditional ransomware (such as data loss and decreased productivity) with those of a data breach (such as data leaks and privacy violations), posing significant concerns for businesses.

Ransomware is a type of malicious software that locks up files and data through encryption. Victims are informed that they can only regain access to their files and data by paying a ransom to the attacker.

How does a Maze ransomware attack work?

Initially, Maze ransomware primarily circulated through malicious email attachments. However, recent attacks employ alternative approaches to compromise networks before deploying the ransomware payload. For instance, numerous Maze ransomware attacks exploit pilfered or guessed Remote Desktop Protocol (RDP) credentials, encompassing username and password combinations, to infiltrate networks. Other attacks have initiated by exploiting vulnerable virtual private network (VPN) servers.

Once inside a network, Maze ransomware follows the subsequent steps:

1. Reconnaissance: Maze conducts an investigation to identify network vulnerabilities and locate as many interconnected machines as possible. This meticulous assessment ensures that the eventual activation of ransomware has the greatest possible impact. As part of this process, Maze scans Active Directory, a Windows program that compiles a comprehensive list of authorized users and computers on the network. Typically, this reconnaissance stage is concluded several days after the attackers have infiltrated the targeted network.

2. Lateral movement: Utilizing the information obtained during reconnaissance, Maze spreads itself across the network, infecting a multitude of devices to maximize its reach.

3. Privilege escalation: While traversing laterally, Maze progressively pilfers additional credentials, granting it the ability to further expand its presence to other machines. Eventually, it typically attains administrator-level credentials, effectively gaining control over the entire network.

4. Persistence: Maze employs various techniques to evade removal. For example, it may install hidden backdoors within the network, enabling reinstallation if discovered and removed.

5. Attack: Finally, Maze initiates the process of encrypting and exfiltrating data. Once the data has been encrypted, Maze presents or sends a ransom note to the victim, detailing instructions on how to make the payment, regain access to their data, and prevent a potential data leak.

How does Maze exfiltrate data?

“Exfiltration” refers to the unauthorized extraction of data from a secure location. Maze, commonly known for its data exfiltration techniques, employs a file transfer protocol (FTP) server to copy and encrypt files and data, thereby moving them out of the trusted area. To accomplish this, attackers often utilize utilities such as PowerShell and WinSCP.

In certain instances, the exfiltrated data has been successfully transferred, compromising its security and confidentiality.

What is the Maze website?

The Maze ransomware group had been running a website on the dark web for a number of years. Their purpose was to showcase their past attacks by uploading stolen data and documents, while also providing social media links for the dissemination of the pilfered information.

In November 2020, the Maze group made an announcement on their website, stating their intention to cease operations. Nevertheless, it is not uncommon for ransomware groups to continue their activities under a new identity even after such claims of closure.

What was the Cognizant Maze ransomware attack?

In April 2020, a significant event known as the Cognizant Maze ransomware attack unfolded. Cognizant, a global IT services provider catering to various companies, fell victim to this attack. The incident led to the compromise of Cognizant’s network, potentially resulting in the unauthorized acquisition of sensitive data belonging to their clients. Unfortunately, Cognizant did not disclose the specific clients affected by the attack. As a consequence, the restoration of services took several weeks, causing disruptions and delays in the business operations of numerous clients.

As a direct outcome of the attack, Cognizant estimated financial losses ranging from $50 million to $70 million.

What were some other major Maze attacks?

• In 2019, the city of Pensacola, located in Florida, USA, fell prey to Maze, a notorious cyber attack. As evidence of their intrusion, the attackers released 2 GB of Pensacola’s data to the public.

• The year 2020 witnessed several high-profile incidents involving Maze. Canon, an imaging equipment company, became one of their victims. The attackers infected Canon’s systems and successfully exfiltrated a staggering 10 TB of data. Unfortunately, numerous users of Canon’s free storage service permanently lost their data as a consequence of this attack.

• During the same year, Maze targeted Xerox, breaching their systems and pilfering 100 GB of sensitive information.

• In yet another incident in 2020, Maze managed to infiltrate the systems of LG Electronics and leaked the source code data belonging to the company.

Additional organizations that fell victim to Maze’s cyber attacks include WorldNet Telecommunications, Columbus Metro Federal Credit Union, the American Osteopathic Association, and VT San Antonio Aerospace.

How to prevent Maze ransomware

Here are some steps you can take to significantly reduce the likelihood of a Maze ransomware attack:

• Avoid using default credentials: Criminals involved in Maze attacks often exploit weak default usernames and passwords. These default credentials are widely known in the criminal underground, making them highly insecure. Opt for unique and strong credentials to enhance security.

• Implement two-factor authentication (2FA): Utilize 2FA to go beyond just relying on a username and password for user authentication. By requiring an additional factor such as a hardware token, which attackers cannot steal or replicate easily, you can significantly enhance the security of your applications.

• Prioritize email security: Set up robust email security measures to filter out malicious email attachments. Additionally, educate your users to be cautious when dealing with unexpected emails and attachments from untrusted sources.

• Keep systems updated: Regularly update your software to apply patches that address vulnerabilities frequently targeted by Maze ransomware. By staying current with updates, you can mitigate potential entry points for attackers to compromise your servers and networks.

• Employ anti-malware scanning: In the event of a Maze infection, it is critical to promptly detect and remove the ransomware from infected devices. Leveraging anti-malware software can effectively identify most variants of Maze on your devices. Isolate any infected devices from the rest of the network immediately.

• Embrace Zero Trust security: Adopt a Zero Trust security model, which involves continuously revalidating both users and devices, while swiftly restricting access for any devices found to be infected with malware. Educate yourself about the concept of Zero Trust networks to implement stronger security measures.

• Consider utilizing Toffs One: Toffs One is a Zero Trust network-as-a-service (NaaS) platform designed to securely connect remote users, offices, and data centers. By leveraging Toffs One, you can strengthen your defense against ransomware attacks. Learn more about Toffs One and its capabilities in countering ransomware attacks.

By following these steps and implementing the recommended security measures, you can significantly reduce the risk of a Maze ransomware attack on your network and systems.