Maze ransomware made headlines when it targeted IT services firm Cognizant in April. Incident response experts who investigated this and previous Maze attacks report new insights on ransomware tactics that could make it harder for businesses to defend themselves.
In working with a client, Kroll incident response experts gained access to a discussion with Maze ransomware operators who revealed some of the group's inner workings. This, combined with a new FAQ file Maze published on its "shaming" website, gives analysts the impression that Maze operators "are leaving nothing to chance" when pressuring victim organizations to pay quickly.
Laurie Iacono, vice president with Kroll's Cyber Risk team, started looking into Maze toward the end of 2019 when it launched the shaming website. "As early as January of 2020, they really started focusing on that shaming site, and they were the first ones to put up a shaming site like that," she explains. The purpose of the website was to share victims' names and stolen data. The longer it takes businesses to pay Maze ransom, the more information the group publishes.
"You have so long to pay the ransom or you get on the site," Iacono says. As she continued to check the site in early 2020, she noticed frequent changes to make it more user-friendly. Maze used it as a platform to share who their victims were as well as to post group communications. "We're almost seeing them become more transparent about what they're doing, which is interesting to see in the ransomware operator's world," she adds.
Still, this doesn't mean the group will stick with its statements. In mid-March, as the coronavirus began to ramp up across the United States, Maze operators issued a release claiming they weren't going to attack healthcare organizations amid the pandemic. Other ransomware groups followed suit. But around the same time Maze made this promise, the group was reportedly in the process of extorting money from Hammersmith Medicines Research, a UK research facility.
Other ransomware groups have taken note of Maze's shaming site and launched their own earlier this year, Iacono says, pointing to Sodinokibi and DoppelPaymer as examples. The other groups post less frequently, she notes, but their technique is similar to Maze's. She believes the prime motivation is to encourage faster payments, which isn't always easy given the attackers' demands: Maze's initial ransom demands nearly $2.3 million, Kroll reports, citing Coveware data.
In the writeup of their findings, Kroll experts advise businesses to heed Maze's claims and threatened retaliations for refusing to pay when considering incident response strategies. No industry is safe, they say, and Maze looks for data to cause reputational and regulatory harm. If the group doesn't get payment from the victim organization, it will move on to its customers. One healthcare client, for example, was attacked with Maze ransomware and discovered the group sent emails directly to patients threatening to expose their personal health information.
In another case, Maze told a mortgage firm it had 24 hours to pay ransom or the group would publish stolen data. The company's email system had gone down two weeks prior and it was told a virus was to blame; in hindsight, it believed its server was hit with ransomware. Kroll also worked with an insurance broker that was alerted to server failure; an investigation showed attackers had logged in to the server with elevated privileges using the COO's credentials. Two days later, the insurer's files were encrypted, and it received a ransom note.
"They tend to use all kinds of ways to compromise systems," Iacono says. Maze tends to use known vulnerabilities like the Pulse VPN CVE-2019-11510 to break in. Once inside, it downloads anywhere from 100GB to 1TB of data, with a focus on proprietary or sensitive data that can be used for regulatory action, lawsuits, or pressure to pay. The group claims credentials taken from nonpaying victims will be used to target their partners and clients.
It's tough to defend against Maze because the group uses a lot of the same legitimate tools that businesses use. Organizations can't always make a blanket statement and block certain tools to protect against the group, because it could be something they'd use in their day-to-day business. Kroll notes that Maze uses tools like Mimikatz and Advanced IP Scanner to facilitate lateral movement.
Tips for Blocking Advanced Attackers
A new concern for organizations is that Maze's operators have compressed their decision-making process. In the past, businesses had more control how and when to share the details of a breach; now, attackers might reach out to the media or customers before they have a chance to respond.
"This isn't an average person," says Keith Wojcieszek, managing director in Kroll's Cyber Risk practice. "These attackers are very sophisticated, very educated." Taking care of yourself up front is "extremely important" in plotting out a strong defense. Patching systems is essential.
"It's one of the most important things, especially for ransomware, because they're looking for these vulnerabilities," Wojcieszek says of the Maze operators. He advises making offline data backups, which are more difficult for adversaries to get, and adopt multifactor authentication.
Companies relying on managed service providers (MSPs) should also consider how their partners manage their network and secure their connections, he continues. If ransomware gets inside an MSP and targets its network and clients, you'll want to know whether it's staying up to date with patch management.
If an attack is successful, organizations should be prepared to respond quickly. Wojcieszek advises building their incident response plans with ransomware-specific policies and determine their stance on paying ransom.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."