Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/6/2020
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Maze Ransomware Operators Step Up Their Game

Investigations show Maze ransomware operators leave "nothing to chance" when putting pressure on victims to pay.

Maze ransomware made headlines when it targeted IT services firm Cognizant in April. Incident response experts who investigated this and previous Maze attacks report new insights on ransomware tactics that could make it harder for businesses to defend themselves.

In working with a client, Kroll incident response experts gained access to a discussion with Maze ransomware operators who revealed some of the group's inner workings. This, combined with a new FAQ file Maze published on its "shaming" website, gives analysts the impression that Maze operators "are leaving nothing to chance" when pressuring victim organizations to pay quickly.

Laurie Iacono, vice president with Kroll's Cyber Risk team, started looking into Maze toward the end of 2019 when it launched the shaming website. "As early as January of 2020, they really started focusing on that shaming site, and they were the first ones to put up a shaming site like that," she explains. The purpose of the website was to share victims' names and stolen data. The longer it takes businesses to pay Maze ransom, the more information the group publishes.

"You have so long to pay the ransom or you get on the site," Iacono says. As she continued to check the site in early 2020, she noticed frequent changes to make it more user-friendly. Maze used it as a platform to share who their victims were as well as to post group communications. "We're almost seeing them become more transparent about what they're doing, which is interesting to see in the ransomware operator's world," she adds. 

Still, this doesn't mean the group will stick with its statements. In mid-March, as the coronavirus began to ramp up across the United States, Maze operators issued a release claiming they weren't going to attack healthcare organizations amid the pandemic. Other ransomware groups followed suit. But around the same time Maze made this promise, the group was reportedly in the process of extorting money from Hammersmith Medicines Research, a UK research facility. 

Other ransomware groups have taken note of Maze's shaming site and launched their own earlier this year, Iacono says, pointing to Sodinokibi and DoppelPaymer as examples. The other groups post less frequently, she notes, but their technique is similar to Maze's. She believes the prime motivation is to encourage faster payments, which isn't always easy given the attackers' demands: Maze's initial ransom demands nearly $2.3 million, Kroll reports, citing Coveware data.

In the writeup of their findings, Kroll experts advise businesses to heed Maze's claims and threatened retaliations for refusing to pay when considering incident response strategies. No industry is safe, they say, and Maze looks for data to cause reputational and regulatory harm. If the group doesn't get payment from the victim organization, it will move on to its customers. One healthcare client, for example, was attacked with Maze ransomware and discovered the group sent emails directly to patients threatening to expose their personal health information.

In another case, Maze told a mortgage firm it had 24 hours to pay ransom or the group would publish stolen data. The company's email system had gone down two weeks prior and it was told a virus was to blame; in hindsight, it believed its server was hit with ransomware. Kroll also worked with an insurance broker that was alerted to server failure; an investigation showed attackers had logged in to the server with elevated privileges using the COO's credentials. Two days later, the insurer's files were encrypted, and it received a ransom note.

"They tend to use all kinds of ways to compromise systems," Iacono says. Maze tends to use known vulnerabilities like the Pulse VPN CVE-2019-11510 to break in. Once inside, it downloads anywhere from 100GB to 1TB of data, with a focus on proprietary or sensitive data that can be used for regulatory action, lawsuits, or pressure to pay. The group claims credentials taken from nonpaying victims will be used to target their partners and clients.

It's tough to defend against Maze because the group uses a lot of the same legitimate tools that businesses use. Organizations can't always make a blanket statement and block certain tools to protect against the group, because it could be something they'd use in their day-to-day business. Kroll notes that Maze uses tools like Mimikatz and Advanced IP Scanner to facilitate lateral movement.

Tips for Blocking Advanced Attackers
A new concern for organizations is that Maze's operators have compressed their decision-making process. In the past, businesses had more control how and when to share the details of a breach; now, attackers might reach out to the media or customers before they have a chance to respond.

"This isn't an average person," says Keith Wojcieszek, managing director in Kroll's Cyber Risk practice. "These attackers are very sophisticated, very educated." Taking care of yourself up front is "extremely important" in plotting out a strong defense. Patching systems is essential.

"It's one of the most important things, especially for ransomware, because they're looking for these vulnerabilities," Wojcieszek says of the Maze operators. He advises making offline data backups, which are more difficult for adversaries to get, and adopt multifactor authentication.

Companies relying on managed service providers (MSPs) should also consider how their partners manage their network and secure their connections, he continues. If ransomware gets inside an MSP and targets its network and clients, you'll want to know whether it's staying up to date with patch management.

If an attack is successful, organizations should be prepared to respond quickly. Wojcieszek advises building their incident response plans with ransomware-specific policies and determine their stance on paying ransom.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.