Watch Out the Latest Active Ransomware: Maze

Watch Out the Latest Active Ransomwar - Maze

In December, Maze ransomware has gained people’s attention since it was found as the culprit behind several cyberattacks reported recently. The cyber criminals operating maze ransomware always try in different ways that can maximize the leverage against potential victims. For instance, the criminals would try to cause the psychological ante of their victims if they refuse to pay the ransom. By “naming and shaming” these victims in public websites, criminals are actually making these prospective clients into paying customers. Here are some recent attacks caused by Maze ransomware:

  • On October 21st, 2019, a Canadian Insurance Firm Andrew Agencies was hit by Maze Ransomware. Their network was breached and 245 computers were encrypted. A ransom amount of $1.1 million or 150 bitcoins was demanded by the Maze operators.
  • In November 2019, Maze ransomware punished Allied Universal by releasing 10% of the total stolen file because they did not pay the ransom before the given deadline.
  • On December 7th, 2019, the cyberattack struck the city of Pensacola. The Maze operators behind this attack claim for $1 million in ransom.
  • On December 9th, 2019, North America’s largest wire and cable manufacturer Southwire Co. was reeled in a cyberattack caused by Maze ransomware. A ransom of 850 bitcoins, which is approximately $6.1 million, was demanded.

According to Maze Ransomware Behind Pensacola Attack, Data Breach Looms, “The data breach fears are particularly relevant given that Maze has a quirk not found in most ransomware: In addition to encrypting files and offering the decryption key in exchange for a ransom payment, it also automatically copies all affected files to the malicious operators’ servers, according to researchers.” It is worth mentioning that the Maze ransomware is different from other ransomware because the amount of decryption foreclosure depends on the importance of the infected computer (personal computer, office computer, server), which means that the cost of decryption will be correspondingly higher after the high-value system is attacked. So far, these encrypted files cannot be decrypted without a key.
Maze ransomware combats static analysis through a large number of obfuscated codes and uses RSA + Salsa20 to encrypt files. After the encryption is completed, a random extension suffix is added to the file. The encrypted file contains the following three parts: encrypted content, encrypted file with ransom note named DECRYPT-FILES.html was created after the key (The content of the ransom letter told the victim that the file was encrypted, and the author’s email address was left, providing payment guidelines, etc.), and finally a Base64-encoded string containing the encrypted private decryption key and the information of the infected computer. The ransomware states that this text must be sent when sending an email to the ransomware author.
Ransomware brings serious threats to the data security of enterprises and individuals. Once the host computer is compromised, the files on the host computer may be encrypted, and the encrypted files will be difficult to recover. Therefore, protection is extremely important. Users should not base their data security on encrypted data recovery. They should install antivirus software, upgrade the system, and patch device vulnerabilities in time. In addition, important data files should be backed up and avoid the use of weak passwords and unified passwords. Ensure that all computers use a secure method such as a VPN connection when using Remote Desktop Services. Moreover, it is better to turn off the Remote Desktop Service when it is not needed for the business.


Contact Immediately if Your
Organization was Hit with a Data Breach