What You Need to Know About Maze Ransomware Attacks

Ransomware cyber criminal concept with faceless hooded hacker

Destructive ransomware attacks against large organizations have always been headlines, and unfortunately, they are becoming more common. For example, on April 18th, 2020, Cognizant admitted that it had become a victim of Maze ransomware. Cognizant is a major IT service provider with more than 290,000 employees. It provides a wide range of services for countless companies in different fields. A ransomware attack on Cognizant can have major consequences for many people and organizations. Unfortunately, there are very few details about the attack exposed. In addition to the brief statement on April 18, Cognizant did not provide any official information. The press release did not reveal when the attackers invaded and how they did it. Here are 7 things we need to know about the Maze Ransomware attacks: 

  1. Maze ransomware was discovered in may 2019, and it was previously known as ChaCha ransomware. 
  2. Maze ransomware utilizes RSA and ChaCha20 encryption as part of the process, and upon execution, the ransomware scans for files to encrypt and appends different extensions to the files.  
  3. The ransom amount would be different depending on whether the victim is a home computer, server, or workstation. 
  4. The most important characteristic of Maze is that the ransomware authors threaten to release the victim’s information on the internet if they do not pay.  
  5. The main goal of Maze ransomware is to encrypt all files it can in an infected system and then demand a ransom to recover the files.  
  6. The Maze ransomware is hard programmed with some tricks to prevent reversing of it and to make the static analysis more difficult.  
  7. Maze historically relied on exploit kits, remote desktop connections with weak passwords or email impersonation to gain access to a user’s system. 

Here are some large-scale Maze ransomware attacks happened in the past: 

  • On Oct. 29, 2019, a campaign distributing Maze ransomware to Italian users was detected through emails impersonating the Italian Revenue Agency. 
  • The group behind Maze ransomware published almost 700 megabytes worth of data and files from stolen security staffing firm Allied Universal in November 2019. 
  • The operators behind the Maze ransomware said they were responsible for encrypting data from the City of Pensacola, Florida, and demanded a $1 million ransom for a decryptor. 
  • Wire and cable maker Southwire was hit by Maze ransomware on Dec. 9, 2019, which affected computing on a companywide basis.  
  • Maze ransomware operators on Jan. 23, 2020, infected computers from Medical Diagnostics Laboratories (MDLab) and released close of 9.5 gigabytes of data stolen from infected machines. 
  • The operators of the Maze ransomware claim to have encrypted the devices on the network of cyber insurance giant Chubb in March 2020. 

LIFARS’ Cyber Incident Response Team provides an elite response for your organization after a Ransomware or Cyber Extortion Incident. LIFARS executes Bitcoin payments and establishes a cyber-secure perimeter guided with proper regulatory and legal oversight. Ransomware Response and Cyber Extortion containment is our expertise. Our Incident Response Team is able to mitigate the risks of ransomware and refine the security posture of your organization in a swift manner during the time of an incident. Our expert team will provide a fast and effective response that can help minimize the damage and cost associated with ransomware and cyber extortion attacks. Being compromised became life certainty. Some of the key benefits: 

  • Assess recovery options/recommendations based on the sensitivity/importance of data that is locked and the identification of specific ransomware. 
  • Recover private keys from recorded network conversations (provided client has a network recorder) and decrypt files without paying ransomware. 
  • Determine whether to kill the process on all systems if it is still running or let encryption finish if paying the ransom is the only remaining option.