Scribd Logo
Upload

Welcome to Scribd!

  • 187 views

    Maze Ransomware Attack and Preventative Measures: General Best Practices

    Uploaded by

    prakashrjsekar
    The document discusses the recent Maze ransomware attacks and provides recommendations to prevent and respond to such attacks. It notes that Maze ransomware operators have been actively targeting organizations and publishing stolen files. The document provides best practices for antivirus software, firewalls, and networks to help block malware and limit the spread of ransomware attacks. It also includes indicators of compromise like IP addresses and file hashes that organizations should monitor and block.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Maze Ransomware Attack and Preventative Measures: General Best Practices

    Uploaded by

    prakashrjsekar
    187 views7 pages
    The document discusses the recent Maze ransomware attacks and provides recommendations to prevent and respond to such attacks. It notes that Maze ransomware operators have been actively targeting organizations and publishing stolen files. The document provides best practices for antivirus software, firewalls, and networks to help block malware and limit the spread of ransomware attacks. It also includes indicators of compromise like IP addresses and file hashes that organizations should monitor and block.

    Original Description:

    Original Title

    Maze ransomware

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses the recent Maze ransomware attacks and provides recommendations to prevent and respond to such attacks. It notes that Maze ransomware operators have been actively targeting organizations and publishing stolen files. The document provides best practices for antivirus software, firewalls, and networks to help block malware and limit the spread of ransomware attacks. It also includes indicators of compromise like IP addresses and file hashes that organizations should monitor and block.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    187 views7 pages

    Maze Ransomware Attack and Preventative Measures: General Best Practices

    Uploaded by

    prakashrjsekar
    The document discusses the recent Maze ransomware attacks and provides recommendations to prevent and respond to such attacks. It notes that Maze ransomware operators have been actively targeting organizations and publishing stolen files. The document provides best practices for antivirus software, firewalls, and networks to help block malware and limit the spread of ransomware attacks. It also includes indicators of compromise like IP addresses and file hashes that organizations should monitor and block.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 7

    Maze ransomware attack and preventative measures

    Executive Summary
    EY MIST team tracks the recent variants of the Maze ransomware in our threat intel platform. We
    aware that Maze ransomware operators have been quite active, it seems there is no stopping. In
    the recent attack of Maze ransomware, one of the top IT firm got affected by Maze ransomware
    operators. Malware researchers also spotted the Maze ransomware operators attacked firms
    related to environmental services, manufacturers of electronic equipment. Very recently, London-
    based Hammersmith Medicines Research suffered a data breach. On March 21, the Maze
    ransomware operators published some of the stolen files on their leak site, after the refusal of the
    research firm of paying the ransom.

    General best practices:


     Do not download files that are suspicious, unusual or from an unknown sender.
     Periodically carry out backups so that systems can be re-established quickly, with minimal
    possible information loss and operative impact.
     Improve the segmentation of the network in order to prevent massive propagation of the
    threat.
     Review and strengthen, where necessary, the security policies of the organization.

    Antivirus best practices:


     Administrators need to ensure that installed AVs and other security products are running with
    latest definition.
     Ensure whether any machines in the network got any removal of antimalware solutions. In
    typical ransomware attacks, intruders remove the security programs from the machine after
    they achieved highest privilege. This will help the ransomware to evade and proceed for
    deploying of ransomware malware in the machines.
     If any suspicious removal of security products/Antimalware programs spotted in the log
    monitoring, should be checked immediately and verified with the concern whether it is a
    planned admin activity or not.

    Firewall best practices:


    • It is always recommended to blacklist the latest threat intel feeds shared by EY MIST team
    which covers recent trending threats including ransomware attacks.
    • After blacklisting, if any outbound communication to the malicious IPs logged in the firewall
    logs, it needs to be analyzed from the host level to find the depth of the analysis.
    • We recommend analyzing the communication in the logs from non-business locations which
    can be tracked using GeoIP during the log monitoring. If the identified IPs found to be malicious,
    deploy rules to block that traffic.
    IOC section (Block at Antivirus and file server level)
    MD5
    a2d631fcb08a6c840c23a8f46f6892dd
    2fbd10975ee65845a18af6b7488a5236
    ee26e33725b14850b1776a67bd8f2d0a
    2fbd10975ee65845a18af6b7488a5236
    a2d631fcb08a6c840c23a8f46f6892dd
    ad30987a53b1b0264d806805ce1a2561
    53d5bdc6bd7904b44078cf80e239d42b
    3bfcba2dd05e1c75f86c008f4d245f62
    21a563f958b73d453ad91e251b11855c
    27c5ecbb94b84c315d56673a851b6cf9
    0f841c6332c89eaa7cac14c9d5b1d35b
    f5ecda7dd8bb1c514f93c09cea8ae00d
    0f841c6332c89eaa7cac14c9d5b1d35b
    a0c5b4adbcd9eb6de9d32537b16c423b
    b40a9eda37493425782bda4a3d9dad58
    5df79164b6d0661277f11691121b1d53
    79d137d91be9819930eeb3876e4fbe79
    65cf08ffaf12e47de8cd37098aac5b33
    fba4cbb7167176990d5a8d24e9505f71
    deebbea18401e8b5e83c410c6d3a8b4e
    87239ce48fc8196a5ab66d8562f48f26
    a3a3495ae2fc83479baeaf1878e1ea84
    8205a1106ae91d0b0705992d61e84ab2
    b4d6cb4e52bb525ebe43349076a240df
    a3386e5d833c8dc5dfbb772d1d27c7d1
    d552be44a11d831e874e05cadafe04b6
    bf2e43ff8542e73c1b27291e0df06afd
    e69a8eb94f65480980deaf1ff5a431a6
    5774f35d180c0702741a46d98190ff37
    f04d404d84be66e64a584d425844b926
    be537a66d01c67076c8491b05866c894
    d2dda72ff2fbbb89bd871c5fc21ee96a
    910aa49813ee4cc7e4fa0074db5e454a
    8205a1106ae91d0b0705992d61e84ab2

    Block at Gateway, proxy and perimeter level


    IP Addresses (Dropper):
    hxxp://104.168.215.54/wordupd.tmp
    hxxp://149.56.245.196/wordupd.tmp
    hxxps://104.168.198.208/wordupd.tmp
    hxxp://104.168.198.230/wordupd.tmp
    hxxp://104.168.201.47/wordupd.tmp

    Block at proxy/internet gateway level

    Maze URLs:
    hxxps://mazedecrypt.top/c3100a28b009e7a9
    hxxp://aoacugmutagkwctu.onion/c3100a28b009e7a9

    IP address to block at firewall level

    IP Addresses:
    91[.]218.114.37
    91[.]218.114.77
    91[.]218.114.4
    91[.]218.114.11
    91[.]218.114.31
    91[.]218.114.79
    91[.]218.114.25
    91[.]218.114.26
    91[.]218.114.38
    91[.]218.114.32

    IP Addresses:
    5.199.167.188
    45.76.149.204
    91.218.114.4
    91.218.114.11
    91.218.114.25
    91.218.114.26
    91.218.114.31
    91.218.114.32
    91.218.114.37
    91.218.114.38
    91.218.114.77
    92.63.8.47
    92.63.11.151
    92.63.15.6
    92.63.15.8
    92.63.17.245
    92.63.29.137
    92.63.32.2
    *92.63.32.55
    92.63.37.100
    92.63.194.3
    92.63.194.20
    104.238.158.250
    104.168.174.32
    104.168.198.208
    104.168.198.230
    104.168.201.35
    104.168.201.47
    104.168.215.54
    146.0.72.85
    149.56.245.196
    185.147.15.22
    195.123.217.13
    198.50.168.67

    URL to be blocked at proxy/gateway level

    Domains List
    introle[.]biz
    plex[.]direct
    agenziaentrate[.]icu
    agenziaentrateinformazioni[.]icu
    agenziainformazioni[.]icu
    bzst-info[.]icu
    hilfe-center-1und1[.]icu
    intralian[.]icu
    usps-deliveryservice[.]icu
    zhengjuncai[.]monster
    healtyproductbest[.]review
    download-invoice[.]site
    malaysiaterkini[.]site
    conbase[.]top
    mazedecrypt[.]top
    condurises[.]xyz
    emplementriaton[.]xyz
    fantimit[.]xyz
    heatmoscover[.]xyz
    publistendick[.]xyz
    thistrich[.]xyz
    succeptishough[.]xyz
    thropossion[.]xyz
    werenceptical[.]xyz
    yearinesents[.]xyz
    1drivelive[.]com
    aloha-edc[.]net
    gsitestat[.]com
    nesinoder[.]com
    set-validator[.]com
    wwwcolnbase[.]com
    canadian-overnite[.]com
    info-delivery-notification[.]com
    lj-kabel[.]net
    hotspot.easygonet[.]com
    webislem[.]kibrisonline[.]com
    activate[.]netonline[.]net
    bayi.netonline[.]net
    beta-bayi[.]kibrisonline[.]com
    dev-bayi[.]netonline[.]net
    dev-hotspotpanel[.]netonline
    [.]net
    gidra2web[.]shop
    gidraruzxpnew4af[.]com
    gudra2wed[.]com
    gudra2wep[.]com
    gybra2web[.]com
    gydra2web[.]co
    gydra2web[.]shop
    gydra2wed[.]com
    hedra2wep[.]com
    hibra2web[.]com
    hidra2wed[.]com
    hidra2wep[.]com
    hudra2wed[.]com
    hudra2wep[.]com
    hybra2web[.]co
    hydpa2web[.]com
    hydr2aweb[.]com
    hydra2ewb[.]com
    hydra2ved[.]com
    hydra2wed[.]co
    hydra2weg[.]com
    hydra2wep[.]co
    hydra4web[.]com
    hydro2wed[.]com
    hydro2wep[.]com
    onion[.]business
    onion[.]capital
    onion[.]cards
    onion[.]fish
    onion[.]limited
    onion[.]management
    onion[.]photo
    onion[.]shopping
    dependepeal[.]info
    mostualled[.]info
    all-apk[.]info
    apkbit[.]info
    apkeseay[.]info
    apkfinder[.]info
    apk-get-update[.]info
    apkhila[.]info
    apkitsall[.]info
    apks-rec[.]info
    apk-rool[.]info
    apkrool[.]info
    apk-tools[.]info
    apktool[.]info
    apktwin[.]info
    apk-update[.]info
    appsfans[.]info
    bit-apk[.]info
    freshapk[.]info
    get-apk-update[.]info
    instaapk[.]info
    pure-apk[.]info
    qwecklyapk[.]info
    to-apk[.]info
    true-apk[.]info
    trueapk[.]info
    upd-ur-apk[.]info
    update-ur-apk[.]info
    sicurezza[.]me
    mx2[.]mgk [.]pl
    fermeri1[.]ru
    i1fermer[.]ru
    lbi1[.]ru
    bayi[.]netcity[.]net[.]tr
    shop[.]nethouse[.]net[.]tr
    missiondirectorates[.]us
    soresponsiblesd[.]us
    nano-care[.]vn

    Reference:

    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
    https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-04-18-maze-ransomware-unpacked-
    payload.vk.yar
    https://twitter.com/VK_Intel/status/1251388507219726338
    https://twitter.com/underthebreach/status/1251605359409664005
    https://www.peerlyst.com/posts/ta2101-maze-threat-actor-ransomware-cnc-sigma-ioc-detection-rule-
    soc-prime
    https://www.virustotal.com/gui/url/0ff6dc133f486178bd13acf266b02c0ca6771e6a066fb419dd0e17
    ed40a4756b/details
    https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-
    ransomware-cyber-attack/

    Thru EY team help

    You might also like