Maze Ransomware

Ransomware are basically malware which creates disruption by locking (encrypting) the files on the victim’s system and then demands ransom from the victim to unlock the files. Hence the name, ransomware. So let us first understand what makes the Maze Ransomware so different from earlier ransomware and why it is called “Maze” Ransomware, thereby enabling one to design measures to protect their data.

What is Maze Ransomware?

Maze Ransomware, the newest variant or strain, belonging to ChaCha family of Ransomware, is more dangerous and intelligent as it moves laterally on the network, evading Anti VM or SandBox Environment and other security solutions deployed. At the same time, it is quite different as it Steals First, then Locks Data and finally demand ransom, instead of just locking data and demanding the ransom. Apart from that, Maze Ransomware also provides the Victims with the proof by unlocking certain files and releases the sensitive data in tranches if ransom is not paid. This purely illustrates that the code of Maze Ransomware is highly complicated and obfuscated. Hence aptly called as “Maze Ransomware” as the victim needs to really puzzled out the correct path in the network of paths and hedges to break free.

Modus Operandi – How it Infects the System:

• Phishing Mails and BitCoin Ads leading to Fake Abra Site which hosts Mobile Bitcoin Wallet App are the methods adopted for the entry.
• Drop or Implant the Malware File and runs it without user’s interaction whatsoever.
• Contact Domains and Hosts to establish the Command and Control(CnC)
• Delete the Shadow Volume Snapshots (Copies), Alter Windows Registry.
• Follow the Instructions from CnC and perform other malicious tasks including stealing or ex-filtrating the data.
• Lock (encrypts) the files using Sophisticated RSA and ChaCha cipher (Algorithm) and appends a string of 4-7 characters at the end of each file used as marker.
• Post or Display the ransom note.
  The files which are normally locked are MS Office Documents, OpenOffice, pdf, text files, databases, photos, music, video, image files, etc.

Why to Protect Your Data Against Maze Ransomware:

It mainly targets companies having good reputation in the market as this not only help hacker group to tarnish the company’s image, but also to earn name, fame and money. Since the data gets stolen, it amounts to data breach. With the GDPR, CCPA and other Privacy Laws and Regulations in place, the victim company may have to deal with long legal battles and if found guilty, are liable to penalties. In short, it’s a double whammy for the company affected by Maze Ransomware.

How To Protect Your Data Against Maze Ransomware:

• Install the Ad Blockers to combat the distribution of Maze Ransomware through malicious advertising.
• Install the DMARC to prevent the phishing email attack from your own company employees, thereby reducing the phishing mails from known persons.
• Draft and Implement the Email Policy to further pave the way for installing strong email security software for detecting malicious attachments.
• Install Firewall on the Client (Desktop, Laptop) Devices.
• Install the AntiVirus and AntiMalware Software on the Client (Desktops, Laptops and Mobiles) Devices.
• Configure your Firewalls to prevent ports 445, 139, 3389, 21, 22 from being exposed to Internet, monitor the outbound connections from firewall and block the unwanted outbound connections.
• Block your Remote Desktop Protocol (RDP), if not in use or follow RDP best practices like MultiFactor Authentication, rate limiting, etc.
• Deploy Best Practices and Guidelines for Remote Connection Use legitimate VPN Services Enable Multifactor Authentication for login and critical activities Limit the VPN Session with specific time periods. Use the IPSEC/L2TP Secure Protocols for establishing the remote connection
• Draft and Implement the Data Classification Policy to identify, classify the company’s data and accordingly design appropriate protection mechanism.
• Design and Deploy Effective Backup and Restoration Strategy to ensure that the critical business and personal data is recovered and made available in the event of infection.
• Conduct the Information Security Awareness and Training Session among the concerned stakeholders.
  The above mentioned measures are just piece of advise and it is recommended that Each Company refers the above measures while designing their information or data security. But the final decision to implement the information security controls should be taken based on the data risk assessment and the business requirements of each company.