In a press release, a notorious cybercriminal group named Maze proclaims to shut down its operations. Ever since the announcement of its statement, there is a buzz going on about the seriousness of its claims. The group has announced its wind up via the dark web.
We have heard similar news once before. On March 11, 2020, the World Health Organization announced the COVID-19 outbreak as a pandemic. Given the pandemic situation, Maze hinted in its press release to stop targeting medical facilities and hospitals. Even then, Maze had apparently made this decision for the sake of humanity.
According to BleepingComputer, Maze stopped encrypting new victims in September 2020. The group is finally getting rid of its victims by removing them from its data leak site. But it is not yet clear whether Maze will give its victims the keys to decrypt their files.
How authentic can this claim be? Unsurprisingly, security experts took its claim with a pinch of salt, saying that, after all, Maze is a cybercriminal gang. According to Lamar Bailey, a senior director of security research, the group is only switching to something new, such as Egregor.
Historical Background of Maze Ransomware
In May 2019, the first known cyberattack by Maze ransomware came into the spotlight. Initially, the cybercriminals distributed the ransomware via spam e-mail and exploit kits. Afterward, they started using a wide range of techniques, tactics, and procedures. The group used to send e-mails using various malicious domains.
Some Popular Companies Targeted by the Group
From the past year, it has targeted several companies. Later, it published the valuable data of their internal files and documents. Although it has targeted many companies since the last year, let’s see a few of them below:
- A cybersecurity firm named Chubb
- A tech and consulting company called Cognizant
- Pharmaceutical giant ExecuPharm
- Defense contractor Kimchuk
- Southwire, a wire and cable manufacturer
Maze ransomware encrypted the internal systems of Cognizant. According to estimates, it cost the company between $50M and $70M. With Southwire, it encrypted 878 devices and exfiltrated 120 GB of data. The group demanded $6M from Southwire.
The Cause of its Notoriety
Typically, ransomware groups hold the data for a ransom after infecting a victim’s system with file-encrypting malware. However, Maze received notoriety by initially exfiltrating data from the victim. After that, it warned to disclose its stolen data unless the victim pays the ransom.
First and foremost, the group sets up websites, more preferably on the dark web. From there on, it threatens to publish the stolen files when the victim turns down the ransom option.
Maze Romance With VPN and RDP
To attack the network of victims, Maze used to find vulnerable remote desktop protocol (RDP) and virtual private network (VPN) servers.
The usual Maze onslaught looks like this:
- Firstly, it looks forward to RDP compromise, malspam, exploit kit, or another vulnerability compromise.
- Afterward, it does reconnaissance and lateral movement.
- Maze will scan files and exfiltrate them to a file server upon execution.
- Then, it will encrypt and affix different randomly originated extensions to the encrypted files.
- It will try to connect to several websites by IP address (C2 servers).
- It will eliminate shadow copies to ensure the prevention of the restoration of all the data.
Takeaway Lesson
With one group shutting down its operation, we cannot expect cybercrimes to go down. Even more than that, we are not sure how much truth lies in its claim.
In fact, Maze might be planning something inside, and the news of shutting down its operations is just a way to deceive the world. Hence, a proactive cybersecurity approach is the need of an hour in such a volatile situation.
References
The U.S. Department of Health and Human Services (HHS) on Maze Ransomware
What is next: Egregor Ransomware?
End of Maze and beginning of Egregor
Companies must think out-of-the-box while ransomware getting craftier
