Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:50 PM
Connect Directly

Maze Ransomware Operators Step Up Their Game

Investigations show Maze ransomware operators leave "nothing to chance" when putting pressure on victims to pay.

Maze ransomware made headlines when it targeted IT services firm Cognizant in April. Incident response experts who investigated this and previous Maze attacks report new insights on ransomware tactics that could make it harder for businesses to defend themselves.

In working with a client, Kroll incident response experts gained access to a discussion with Maze ransomware operators who revealed some of the group's inner workings. This, combined with a new FAQ file Maze published on its "shaming" website, gives analysts the impression that Maze operators "are leaving nothing to chance" when pressuring victim organizations to pay quickly.

Laurie Iacono, vice president with Kroll's Cyber Risk team, started looking into Maze toward the end of 2019 when it launched the shaming website. "As early as January of 2020, they really started focusing on that shaming site, and they were the first ones to put up a shaming site like that," she explains. The purpose of the website was to share victims' names and stolen data. The longer it takes businesses to pay Maze ransom, the more information the group publishes.

"You have so long to pay the ransom or you get on the site," Iacono says. As she continued to check the site in early 2020, she noticed frequent changes to make it more user-friendly. Maze used it as a platform to share who their victims were as well as to post group communications. "We're almost seeing them become more transparent about what they're doing, which is interesting to see in the ransomware operator's world," she adds. 

Still, this doesn't mean the group will stick with its statements. In mid-March, as the coronavirus began to ramp up across the United States, Maze operators issued a release claiming they weren't going to attack healthcare organizations amid the pandemic. Other ransomware groups followed suit. But around the same time Maze made this promise, the group was reportedly in the process of extorting money from Hammersmith Medicines Research, a UK research facility. 

Other ransomware groups have taken note of Maze's shaming site and launched their own earlier this year, Iacono says, pointing to Sodinokibi and DoppelPaymer as examples. The other groups post less frequently, she notes, but their technique is similar to Maze's. She believes the prime motivation is to encourage faster payments, which isn't always easy given the attackers' demands: Maze's initial ransom demands nearly $2.3 million, Kroll reports, citing Coveware data.

In the writeup of their findings, Kroll experts advise businesses to heed Maze's claims and threatened retaliations for refusing to pay when considering incident response strategies. No industry is safe, they say, and Maze looks for data to cause reputational and regulatory harm. If the group doesn't get payment from the victim organization, it will move on to its customers. One healthcare client, for example, was attacked with Maze ransomware and discovered the group sent emails directly to patients threatening to expose their personal health information.

In another case, Maze told a mortgage firm it had 24 hours to pay ransom or the group would publish stolen data. The company's email system had gone down two weeks prior and it was told a virus was to blame; in hindsight, it believed its server was hit with ransomware. Kroll also worked with an insurance broker that was alerted to server failure; an investigation showed attackers had logged in to the server with elevated privileges using the COO's credentials. Two days later, the insurer's files were encrypted, and it received a ransom note.

"They tend to use all kinds of ways to compromise systems," Iacono says. Maze tends to use known vulnerabilities like the Pulse VPN CVE-2019-11510 to break in. Once inside, it downloads anywhere from 100GB to 1TB of data, with a focus on proprietary or sensitive data that can be used for regulatory action, lawsuits, or pressure to pay. The group claims credentials taken from nonpaying victims will be used to target their partners and clients.

It's tough to defend against Maze because the group uses a lot of the same legitimate tools that businesses use. Organizations can't always make a blanket statement and block certain tools to protect against the group, because it could be something they'd use in their day-to-day business. Kroll notes that Maze uses tools like Mimikatz and Advanced IP Scanner to facilitate lateral movement.

Tips for Blocking Advanced Attackers
A new concern for organizations is that Maze's operators have compressed their decision-making process. In the past, businesses had more control how and when to share the details of a breach; now, attackers might reach out to the media or customers before they have a chance to respond.

"This isn't an average person," says Keith Wojcieszek, managing director in Kroll's Cyber Risk practice. "These attackers are very sophisticated, very educated." Taking care of yourself up front is "extremely important" in plotting out a strong defense. Patching systems is essential.

"It's one of the most important things, especially for ransomware, because they're looking for these vulnerabilities," Wojcieszek says of the Maze operators. He advises making offline data backups, which are more difficult for adversaries to get, and adopt multifactor authentication.

Companies relying on managed service providers (MSPs) should also consider how their partners manage their network and secure their connections, he continues. If ransomware gets inside an MSP and targets its network and clients, you'll want to know whether it's staying up to date with patch management.

If an attack is successful, organizations should be prepared to respond quickly. Wojcieszek advises building their incident response plans with ransomware-specific policies and determine their stance on paying ransom.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.