Maze Ransomware Blackmails Victims as Leverage

Walden Systems Geeks Corner News Maze Ransomware Blackmails Victims as Leverage Rutherford NJ New Jersey NYC New York City North Bergen County
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

The developers of the Maze ransomware added extra features to it's ransomeware. Maze steal data from the infected system while they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay. Depending on the kind of data, depending on the data, this may convince victims to pay the ransom. Since more organizations have backup copies of their important files or use some kind of rollback technology to restore their systems to the state they were in before the attack, this adds an incentive to pay the ransom.

In 2019, Maze's developers added the blackmail feature. Since then, many other ransomware peddlers have started to adopt it. The other ransomware that use blackmail are Clop, Sodinokibi, and DoppelPaymer. The first victim was Allied Universal, a California-based security services firm. Allied Universal had 700MB of stolen data dumped after they refused to meet the ransom demand set by Maze. Most of the ransomware groups involved in this blackmail featured have dedicated websites where they threaten to publish the data stolen from victims that are reluctant to pay. Maze ransomware was developed as a variant of ChaCha ransomware and was initially discovered by Malwarebytes in May of 2019. Since December, the gang have had many high profile victims in many industries including finance, technology, healthcare, government, hospitality, insurance, and legal.


The main forms of distribution for Maze are malspam and RDP brute force attacks. Malspan utilizes email attachments such as word and excel to deliver the malware. RDP brute force attacks involve using automated tools that cycle through multiple username and password combinations, in an attempt to guess the target computer's RDP login credentials. Initially, Maze was distributed through websites using an exploit kit such as the Fallout EK and Spelevo EK, which exploits Flash Player vulnerabilities. Maze ransomware has also exploits Pulse VPN flaws, as well as the Windows VBScript Engine Remote Code Execution Vulnerability to get into a network. The next step is to get elevated privileges and start file encryption across all drives. Before encrypting the data, it steals files it come across. These files are then used to blackmail companies with public disclosure.

MAZE uses two algorithms to encrypt the files, ChaCha20 and RSA. After encryption the program appends a string of random 4 to 7 characters at the end of each file. When the malware has finished encrypting all the targeted files it changes the desktop wallpaper. In addition, a voice message is played to the user of the affected system, alerting them of the encryption.

To minimize the potential impact of a successful ransomware attack against your company, ensure that users only have access only to the information and resources required to do their jobs. Taking this step significantly reduces the possibility of a ransomware attack spreading throughout your network. Addressing a ransomware attack on one user system may be a hassle, but fixing a network-wide attack are dramatically greater.