After it encrypts all targeted files, Maze drops a ransom note on the desktop. After the start of execution, the ransomware deletes shadow copies. After the executable file makes its way into an infected system and runs, the main malicious activity begins. The execution process of Maze is kind of typical for this type of malware, for example Phobos or Sodinokibi. In this video recorded in the ANY.RUN interactive malware hunting service we can view how the Maze execution unfolds.įigure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis serviceįigure 2: Wallpapers with ransom message set by Maze Maze execution process They contact cybersecurity media and like to tease industry professionals and play cat and mouse. Threat actors behind the virus evidently stay on top of the progress done by security researchers on their malware.
#ANY MAZE #BUSY CODE#
It should also be noted that the virus uses several advanced code obfuscation techniques that make static analysis very complicated. Of course, an incident like this can only happen if backup credentials are stored in the compromised network, thus correct backup configuration is incredibly important. Unfortunately, this tactic has proved effective as at least one company fell victim to it and lost its backups. This is useful for threat actors not only because it allows deleting the backup before encryption, but also because that backup most likely contains the most valuable data. Maze creators revealed that after infecting the initial endpoint, their ransomware targets cloud backups by laterally spreading through the network and stealing needed credentials. Actually, sometimes they become a week point. Researchers should note that largely after Maze’s occurrence ransomware attacks can be considered data breaches, as more and more ransomware strains gain the ability to infiltrate networks and perform data-stealing activities before encrypting the files.įurthermore, with the case of Maze, even backups are not safe. This is a very important point about Maze. As per the data breach, the virus's actors declared that the information was leaked as evidence, showing how deeply they managed to infiltrate the network. The attack severely damaged the computer network of Pensacola, forcing it to temporarily shut down the network. In another Maze ransomware attack, 2GB of files belonging to the City of Pensacola were made public. The data included lists of active users, email certificates, encryption keys, and more. When the website declined, the Maze gang uploaded 700MB worth of sensitive information on an underground forum. In reply, hackers behind the virus first contacted a well-known computer help site, asking them to publish a story about the attack to serve as a public warning. The cyber gang claimed that they have gained complete control of the Allied network and threatened to make the data public unless the company paid up.Īllied Universal decided to ignore the demands. In November 2019, the group behind Maze managed to infiltrate Allied Universal: one of the leading private security companies in the US. However, the situation changed drastically with Maze. They served as a psychological weapon, helping threat actors to strongarm victims into paying. However, before the occurrence of Maze, most of these threats remained largely idle. It’s not a new strategy among ransomware operators to issue threats about making sensitive data public unless the victim gives in to the demands of the criminals. Maze ransomware has been operating actively since 2019 and, unfortunately, the attack volume from this malware has been on a steady rise since that time. A defining feature of Maze is that it publically releases sensitive files to the public unless the ransom is paid. Maze, also called ChaCha, is ransomware - a malicious program that encrypts files of the victim and demands a ransom in exchange for a decryption key that restores information.
0 kommentar(er)
