Maze – The 2.0 of Ransomware

Maze Ransomware is the most dangerous ransomware we have seen to date. We dubbed it “Ransomware 2.0” because we think you will be seeing more and more of this type of ransomware throughout 2020. It’s like ransomware and extortionware built into one. 

For those not familiar, Maze ransomware started popping up in late December, with one of the most high profile victims being Allied Security. The Maze ransomware has two main components to it. 

1. The first component is typical ransomware where it demands Bitcoin for encryption keys. This is very common.

2. The second component is what makes Maze dangerous. Maze will actually exfiltrate files from your network and demand payment. If the company fails to pay, Maze slowly releases files on their website that are available to the general public. 

The second component shown above is dangerous for a number of reasons. First, most companies do not report when they have ransomware. In many eyes, this is seen as an “incident” and not a breach because “data has not left the network”. Second, many bloggers and industry sites monitor Maze’s site and reports on new victims. Once you’re outed on Maze’s site as having a maze infestation, and worst yet, screenshots and files that prove it, it moves through media outlets like wildfire. 

Typically the Maze payment is $2.5 Million dollars. The first $1.25 million goes towards getting the encryption key back and the second $1.25 million goes towards having then “delete your data” and prevent them from publishing your information on their website. Although this number does seem very high for ransom, their website does say that they are willing to negotiate the price. 

How Maze Gets Into Networks 

From what we’ve seen, Maze shares the same attack scenario with other ransomware. Those being 

1. Phishing emails with malicious attachments

2. RDP/Terminal Services on an external host:port. This, in combination with a user that might be using an easily guessable password is a recipe for disaster. 

Once inside the network, it appears that Maze moves around the network using PowerShell and commonly first infects a machine using a Word macro that runs a PowerShell script to install the malware. 

What You Can Do

To defend against Maze, a number of security hygiene practices should be used. 

1. Employee Awareness Training: Educate users about malicious emails, Word macros, etc. 

2. Next Generation Antivirus: They are much better at finding and removing PowerShell based malware than their traditional counterparts. 

3. Least Privilege: Making sure that users are not local administrators on their machine, locking down services such as PowerShell on workstations or machines that are not using it, etc.