Since 2019, Maze Ransomware has been in the headlines non-stop. It has been used to attack companies, governments, and increasingly 3rd-party vendors or Managed Service Providers (MSPs). This rising concern consequently affects all MSP clients, their business partners, and everyone within the MSP’s ecosystem in an endless chain of disruption.
Even Singapore, the regional tech hub of Southeast Asia, has had its share of entanglement with Maze Ransomware. In 2020, Singapore-based defense contractor, ST Engineering, faced a series of attacks and saw samples of stolen data published on a data leaking site.
MSPs looking to protect their reputation and their customers need to understand the maneuverings of ransomware. Maze is one of them.
While IT and security teams have worked to ensure their people are educated and aware of such cyber threats, and able to detect such attacks in order to protect themselves and the organization, protection and detection must still exist beyond the human element. In order to do so, we must first understand what Maze ransomware is.
What is Maze Ransomware?
Maze ransomware is a 32 bits binary file, usually in the guise of a .exe or .dll file. Once deployed on an end-user’s machine, Maze encrypts user files and sends a ransomware payment demand. It copies user data to be sold later, most likely on the Dark Web – escalating an infection from “ransomware” to “data breach.” It also creates backdoors to enable the malicious actors behind the ransomware to have continued access to the system. And finally, it attempts to spread within the network and beyond.
The Maze code is sophisticated and includes many obscure and confusing techniques designed to evade common security techniques and security teams.
Organizations reportedly hit by Maze ransomware include Canon, Cognizant, and Conduent. The impact of Maze ransomware was so massive that the FBI warned organizations about it.
How does the Maze Ransomware Work?
Initial deployment: In most cases, Maze is deployed onto the victim’s machine using a phishing email – more recently spear-phishing email – containing an attachment, such as a macro-enabled Microsoft Word document or password-protected zip file. These files are often named something innocuous yet tempting, such as “Quarterly Report” or “Confidential Data Set.”
Once successfully deployed it begins propagating within the user’s system. Simultaneously, it starts spreading within the network, seeking ever-higher access privileges to do more damage. During this period, files start being encrypted, often affecting both the user’s local machine and cloud storage.
At this point, the ransomware payment demand usually appears, spelling out the attacker’s requirements and payment method – usually with crypto-currency.
When Maze starts with a zip attachment encrypted and embedded with macros, it’s difficult for email security solutions to detect Maze ransomware because they cannot automatically open the file protected with a password. They also do not normally scan zip files; scanning macros are also a challenge for these solutions.
Scanning for vulnerabilities:
The maze looks for weaknesses in network configurations and across multiple Active Directory attributes to gain critical insights and intelligence on the network so it can embark on the next phase of its sinister mission.
Maze now begins moving laterally within the network. It investigates the infected machine for clues regarding moving to the next machine and through the network, constantly scanning for passwords that it can exploit. If unsuccessful, it tries other means such as brute-forcing access to new user accounts.
Getting elevated privileges:
Attackers keep improving their level of access privileges to access more information and gain more control over the system, so the spread becomes easier and quicker.
Protection against Maze Ransomware
There are four primary ways of protecting against Maze ransomware.
- Detecting Maze pre-delivery: With the vast majority of Maze ransomware attacks starting with a phishing email, the logical and most effective place to start is with a cloud email protection solution, stopping the problem Upstream.
- Protecting each endpoint: It’s important to protect individual endpoints from infection. A remote monitoring and management (RMM) tool is critical to ensure that no individual machine has been compromised. Any attempt to infect individual machines is picked up and dealt with as early as possible.
- Preventing the lateral movement of the ransomware: As Maze attempts to move laterally within the organization, an RMM tool is your best chance of keeping your network secure and isolated from the infected machine, without necessitating a complete shutdown of the entire network.
- Backing up your data: Properly backed-up data is key to ensuring business continuity in the case of an attack – and something that helps you sleep well at night. Specifically for MSPs, this element is critical in ensuring your clients have a backup solution, quite literally.
Unfortunately, Maze ransomware is here to stay; with new variants already popping up. Nonetheless, the response to Maze ransomware as outlined here is a robust way to protect users, clients, and your organization against Maze and other ransomware attacks.
[To share your insights with us, please write to firstname.lastname@example.org]