Masergy Threat Intelligence Bulletin: Maze Ransomware

Published on April 26th, 2020

In the Spotlight: Maze Ransomware

Key Topics Covered

Executive Summary

Maze is a strain of ransomware that was discovered in May of 2019. While initially only found in small campaigns, Maze has since been responsible for high profile attacks on organizations like Allied Financial, the City of Pensacola, Florida, and recently IT service company Cognizant. Maze not only encrypts files, but also exfiltrates data to use as leverage for extorting ransom payments, with a website dedicated to publishing stolen data from non-paying victims. Maze has made claims of stealing anywhere from 100Gb of data all the way up to 10Tb worth of commercial and private information.

FIGURE 1. MAP OF MAZE INFECTIONS (Source: McAfee)

What happened?

Most ransomware families attempt to gain revenue by encrypting data and then selling the decryption key. While Maze also follows this method, the tactics utilized also include exfiltrating data before encryption that the Maze actors can then use to coerce payment from it’s victims. Maze has set up a website where they threaten to post the data should the target not comply with payment. Even if the company is able to recover their data or restore from backup without paying, they will still fall victim to a data breach. The most recent victim of the Maze ransomware is the IT service company Cognizant, a company earning $15 billion in revenue. The attack resulted in some of Cognizant’s clients having interruptions to their service, as well as a potential revenue loss that could impact Cognizant’s financial results. Even Chubb, a cybersecurity insurance provider for businesses impacted by data breaches, became compromised by Maze ransomware.

Maze Ransomware – So What?

Many companies rely on outsourcing their IT needs to third-parties, and if your IT service provider suffers a ransomware attack, it could impact your company’s operation. Cognizant confirmed that some of their clientele experienced service disruptions, with some disruptions lasting days. Since Maze is known for exfiltrating data before encryption, it’s possible that data from companies using Cognizant’s service has been compromised. In the case of Chubb, the company stated the company itself was not impacted by Maze, but rather a third-party’s data was affected.

Maze Ransomware – What Do I Do?

Maze ransomware complicates the approach of how to handle ransomware attacks. While it is still critical that your organization takes regular backups of data that you can restore from in the incident of a breach, Maze presents the possibility of a data breach for not paying. It’s now even more important that your company takes measures to prevent ransomware from entering your company network in the first place. Many attackers are using RDP (remote desktop protocol) to gain a foothold in the company, with hacking forums selling RDP credentials for around $20 a server. Securing RDP will go a long way to protect your organization. In addition, Maze has been seen being spread through exploit kits like Fallout that require user interaction to deploy on the host. It is critical to train employees to recognize potential phishing emails or domains that could redirect a victim to an exploit kit that leads to ransomware across the entire company’s network. As always, patch your systems after appropriate testing to the most recent versions as soon as possible to avoid being exploited by a preventable vulnerability.

Highlights in Brief

Millions of Guests Impacted in Marriott Data Breach, Again

Marriott hotel suffered another data breach, roughly two years after they first reported a breach that exposed details of up to 500 million customers1. This new data breach exposed details of approximately 5.2 million customers and was caused by employee account compromises. The attack occurred through a third-party software that Marriott used to provide guest services. They used the compromised accounts to get into the system and finally obtain guest information. Marriott said that the attack most likely started in mid-January and continued for a month and a half. Investigation began at the end of February and affected customers were notified. According to their investigation, no payment card information, passport information, and other pertinent sensitive information were included in the data breach.

Zeus Sphinx Banking Trojan Arises Amid COVID-19

According to IBM researchers, Zeus Sphinx malware has resurfaced, first reappearing in December of 2019. 2However, researchers observed an increase in Zeus Sphinx case volume in March with Sphinx’s operators spreading the malware through corona-virus themed emails with malicious attachments named “COVID-19 relief” in various countries. More and more APT groups have been leveraging the pandemic to spread data exfiltration malware, especially as businesses continue to move to work from home.

Oil and Gas Firms Targeted With Agent Tesla Spyware

Bitdefender researchers recently discovered a spear phishing campaign that’s running actively by either masquerading as a leading Egyptian engineering contractor or a shipment company. 3Malicious emails request the recipient to submit a bid for equipment and materials as part of a project and these contain an attachment that drops Agent Tesla spyware. The trojan will now stealthily collect various sensitive information and credentials and send it to the attacker’s command and control server. It is advised as part of a mitigation process to enforce multi-factor authentication among user accounts and implement solutions that will analyze incoming and outgoing email traffics.

Forward Look

1 https://threatpost.com/millions-guests-marriott-data-breach-again/154300/
2 https://threatpost.com/zeus-sphinx-banking-trojan-covid-19/154274/
3 https://threatpost.com/oil-and-gas-agent-tesla-spyware/154973/

Appendix A

Language of Uncertainty

Throughout this intelligence summary Masergy assessed probability using qualitative statements from the following defined matrix. To give the reader perspective, each statement is bounded by a probability range.

Source Evaluation

Masergy evaluated sources using the two matrices defined below, scoring the reliability of source and that of the information gleaned from them.