Why organisations should be wary of Maze

ransomware?

As more organisations switched to remote working due to lockdowns, there has been
an increase in cyberattacks ranging from phishing scams to ransomware attacks.
Leading IT services provider Cognizant was recently targeted by a ransomware attack.
The company confirmed a security incident involving their internal systems, leading
to disruption of services for some clients due to Maze ransomware attack.
Also known as ChaCha ransomware, Maze was discovered in May 2019 by Jerome
Segura, a malware intelligence analyst.
Though Maze ransomware organization has denied its involvement in the attack,
security experts don't seem convinced. “The ransomware has still been categorized as
Maze because the listed IOCs included IP addresses of servers and file hashes for the
kepstl32.dll, memes.tmp, and maze.dll files. These are known to be used in previous
attacks by the Maze ransomware actors," said Saket Modi, co-founder & CEO of
Lucideus, a cybersecurity company.
This is the second major cyberattack involving the Maze ransomware on an
organisation in a month's span. In March, Chubb, a cybersecurity insurance company,
reported a security breach which is believed to be the handiwork of Maze ransomware
group.
Interpol has also warned health organisations across the world to brace themselves for
a possible attack involving nefarious ransomware, even though the Maze ransomware
group has reportedly assured that they won't be targeting healthcare and medical
facilities for the time being.
How does Maze operate
McAfee Labs' research on Maze shows that the ransomware is mainly spread through
exploit kits such as Fallout and Spelevo; desktop connections with weak passwords;
phishing emails impersonating government agencies. For instance, in the October
cyberattack on Italian organisations, emails were sent with a Word attachment that
used macros to run the malware in the system.
According to McAfee, this malware is hard programmed to prevent reverse
engineering of its codes, which makes static analysis by security researchers more
difficult.
Reverse engineering is a common practice used in cybersecurity to understand how a
given program, like the malware in this case, works.
What makes Maze dangerous?
A typical ransomware attack which encrypts all files and then locks them down to
prevent access until the owner or organisation has paid the ransom. What makes Maze
ransomware unique is the fact that before encrypting files it steals a significant
amount of data and sends them to a remote server controlled by the attacker. The
objective is to sell the data on DarkWeb if the organisation or individual refuses to
pay the ransom amount.
Who is behind Maze?
Security experts have yet not been able to trace the country of origin of the maze
ransomware. During their examination, McAfee Labs found some of the IP addresses
belonged to Russian Federation. However, it is not enough to confirm the country bits
come from, IP spoofing is a common practice used by attackers to deliberately
misdirect investigations and even cause disharmony among two states.
What can organisations do to protect themselves
Modi points out, one can avoid paying ransoms as long as they have all important data
backed up properly. However, to protect their systems from any such attacks,
organisations need to improve their security posture.
“These are exactly the situations why the industry needs to adopt a proactive, real-
time and quantifiable approach to cybersecurity. Cyber risk quantification platforms
can help organisations get a clear view into the cyber risk posture in real-time,
allowing them to prioritise cybersecurity projects and investments," added Modi.