What Is Maze Ransomware?

Maze ransomware is sophisticated malware, or malicious software, that has targeted organizations in many industries. As with other strains of ransomware, Maze encrypts files on a victim’s servers and computers, enabling ransomware operators to demand a ransom in exchange for decryption keys.

Like REvil and several other ransomware variants, Maze is a form of double extortion ransomware. Before encrypting files, attackers exfiltrate high-value information and threaten to leak confidential data on the dark web if the ransom is not paid. The Maze ransomware gang operated a website for a period of time where data from attacks was published.

Maze ransomware made headlines for attacking managed service providers (MSPs). This was considered a particularly dangerous development since a single compromised MSP could have a domino effect, leading to security incidents for their many clients and business partners.

The Maze ransomware gang first appeared in 2019 and quickly became known for disruptive ransomware attacks across industries that included healthcare, IT services, and local governments.

At one point in 2020, the gang behind Maze teamed up with the cybercriminals running LockBit ransomware and RagnarLocker, coordinating efforts and execution techniques and publishing stolen data on the Maze website.

At the end of 2020, the Maze ransomware group stated that it was shutting down operations. However, authorities distrust these claims, as other ransomware groups have made similar announcements while simply rebranding their code under a new name. Researchers have observed similarities between Maze and several new ransomware variants, suggesting that Maze and its operators still pose a potent cyberthreat.

Notable Maze ransomware attacks
In April 2020, the IT services provider Cognizant was attacked by Maze ransomware. Client data was stolen in the attack, which took several weeks to resolve. Other major incidents include cyberattacks on Xerox, LG Electronics, the imaging equipment company Canon, and the City of Pensacola, Florida. Maze operators also targeted healthcare organizations during the pandemic.

Maze ransomware operators are thought to include several groups of cybercriminals. Maze ransomware does not attack systems where the language is set to Russian, Ukrainian, Belarusian, and a number of other states formerly part of the Soviet Union.

Maze follows a formula that is common to many other types of ransomware.

• Distribution: Maze ransomware has been distributed through malicious email attachments (often created in Microsoft Word), as well as Remote Desktop Protocol (RDP) attacks using stolen credentials or brute force, and compromised endpoints in VPN apps. Exploit kits like Spelevo and Fallout allow attackers to take advantage of vulnerabilities in software, APIs, and Windows operating systems. Maze operators have also used backdoors left by other malware.
• Persistence: Maze resists removal by installing backdoors into the network that allow attackers to regain access and reinstall ransomware if it is discovered and removed.
• Reconnaissance: The malware scans the network to find additional vulnerabilities it can exploit and high-value data it can exfiltrate.
• Infection: Using information gained from reconnaissance, Maze deploys lateral movement techniques and tools like Mimikatz or Trojan droppers to move throughout a network and infect as many devices and machines as possible.
• Privilege escalation: As it moves laterally throughout a network, Maze uses stolen credentials to escalate privileges and acquire administrator control over the entire network.
• Exfiltration: Maze uses a file transfer protocol (FTP) server like PowerShell or WinSCP to transfer high-value data to servers outside the network. Exfiltrating data enables attackers to extort more money from victims.
• Encryption: Maze deploys a payload designed to encrypt files using advanced algorithms. Maze also deletes shadow copies of encrypted files to ensure that the data cannot be easily restored.
• Ransom demands: Once data has been encrypted, Maze displays a ransom note that provides instructions on how to make a payment to prevent a data leak and to regain encrypted files.

Preventing and detecting threats like Maze ransomware requires a multilayered approach to security.

• Strong passwords: Many ransomware attacks use compromised credentials to infiltrate a network. Using strong passwords and avoiding default usernames and passwords can help to neutralize this attack vector.
• Multi-factor authentication: Requiring users to provide two or more forms of authentication before receiving access to a network helps to prevent unauthorized access by ransomware operators.
• Email filtering: Technology that blocks email messages containing suspicious links or attachments can help prevent phishing messages and ransomware from reaching end users.
• Updates and patches: IT teams must regularly apply patches and update software and firmware to remediate known vulnerabilities that cybercriminals may exploit in ransomware attacks.
• Zero Trust security: A Zero Trust approach to security requires every user and device to be authenticated and authorized on every request for access to resources. This helps to prevent ransomware from moving laterally within a network, minimizing the damage and helping security teams discover ransomware attacks early.
• Endpoint protection: Endpoint security involves protection for individual machines like laptops, desktops, and mobile devices. These solutions collect and analyze data from endpoints to identify threat patterns and monitor traffic to uncover potentially suspicious behavior.
• Real-time monitoring for anomalies: Continuous monitoring for suspicious behavior provides IT teams with an early warning of possible attack.
• Security awareness training: Since user actions like opening a phishing email are often the first step in a ransomware attack, organizations must provide training to help employees recognize the signs of a potential attack and to develop good security hygiene.
• Backups: Organizations can protect against ransomware by backing up important data frequently. Keeping a copy of data isolated from the network helps to prevent backup systems from also being infected by ransomware.
• Threat intelligence: Intelligence feeds and best practices from platforms like MITRE ATT&CK help IT and security teams to be better prepared to defend against ransomware attacks like Maze.

Maze ransomware removal requires a well-crafted incident response plan. Steps involve:

• Isolating the affected systems to prevent the ransomware from spreading further
• Using specialized ransomware removal tools to eradicate the code
• Restoring data from an offline backup, if possible
• Cybersecurity analysis to identify and remediate vulnerabilities used in the attack
• Coordinating with law enforcement agencies like the FBI to investigate the cybercriminals behind the ransomware attack