Maze Ransomware Operators Step Up Their Game

  /     /     /  
Publicated : 23/11/2024   Category : security


Maze Ransomware Operators Step Up Their Game


Investigations show Maze ransomware operators leave nothing to chance when putting pressure on victims to pay.



Maze ransomware made headlines when it targeted IT services firm Cognizant in April. Incident response experts who investigated this and previous Maze attacks report new insights on ransomware tactics that could make it harder for businesses to defend themselves.
In working with a client, Kroll incident response experts gained access to a discussion with Maze ransomware operators who revealed some of the groups inner workings. This, combined with a new FAQ file Maze published on its shaming website, gives analysts the impression that Maze operators are leaving nothing to chance when pressuring victim organizations to pay quickly.
Laurie Iacono, vice president with Krolls Cyber Risk team, started looking into Maze toward the end of 2019 when it launched the shaming website. As early as January of 2020, they really started focusing on that shaming site, and they were the first ones to put up a shaming site like that, she explains. The purpose of the website was to share victims names and stolen data. The longer it takes businesses to pay Maze ransom, the more information the group publishes.
You have so long to pay the ransom or you get on the site, Iacono says. As she continued to check the site in early 2020, she noticed frequent changes to make it more user-friendly. Maze used it as a platform to share who their victims were as well as to post group communications. Were almost seeing them become more transparent about what theyre doing, which is interesting to see in the ransomware operators world, she adds. 
Still, this doesnt mean the group will stick with its statements. In mid-March, as the coronavirus began to ramp up across the United States, Maze operators issued a
release
claiming they werent going to attack healthcare organizations amid the pandemic. Other ransomware groups followed suit. But around the same time Maze made this promise, the group was reportedly in the process of extorting money from Hammersmith Medicines Research, a UK research facility. 
Other ransomware groups have taken note of Mazes shaming site and launched their own earlier this year, Iacono says, pointing to Sodinokibi and DoppelPaymer as examples. The other groups post less frequently, she notes, but their technique is similar to Mazes. She believes the prime motivation is to encourage faster payments, which isnt always easy given the attackers demands: Mazes initial ransom demands nearly $2.3 million,
Kroll reports
, citing Coveware data.
In the writeup of their findings, Kroll experts advise businesses to heed Mazes claims and threatened retaliations for refusing to pay when considering incident response strategies. No industry is safe, they say, and Maze looks for data to cause reputational and regulatory harm. If the group doesnt get payment from the victim organization, it will move on to its customers. One healthcare client, for example, was attacked with Maze ransomware and discovered the group sent emails directly to patients threatening to expose their personal health information.
In another case, Maze told a mortgage firm it had 24 hours to pay ransom or the group would publish stolen data. The companys email system had gone down two weeks prior and it was told a virus was to blame; in hindsight, it believed its server was hit with ransomware. Kroll also worked with an insurance broker that was alerted to server failure; an investigation showed attackers had logged in to the server with elevated privileges using the COOs credentials. Two days later, the insurers files were encrypted, and it received a ransom note.
They tend to use all kinds of ways to compromise systems, Iacono says. Maze tends to use known vulnerabilities like the Pulse VPN CVE-2019-11510 to break in. Once inside, it downloads anywhere from 100GB to 1TB of data, with a focus on proprietary or sensitive data that can be used for regulatory action, lawsuits, or pressure to pay. The group claims credentials taken from nonpaying victims will be used to target their partners and clients.
Its tough to defend against Maze because the group uses a lot of the same legitimate tools that businesses use. Organizations cant always make a blanket statement and block certain tools to protect against the group, because it could be something theyd use in their day-to-day business. Kroll notes that Maze uses tools like Mimikatz and Advanced IP Scanner to facilitate lateral movement.
Tips for Blocking Advanced Attackers
A new concern for organizations is that Mazes operators have compressed their decision-making process. In the past, businesses had more control how and when to share the details of a breach; now, attackers might reach out to the media or customers before they have a chance to respond.
This isnt an average person, says Keith Wojcieszek, managing director in Krolls Cyber Risk practice. These attackers are very sophisticated, very educated. Taking care of yourself up front is extremely important in plotting out a strong defense.
Patching
systems is essential.
Its one of the most important things, especially for ransomware, because theyre looking for these vulnerabilities, Wojcieszek says of the Maze operators. He advises making offline data backups, which are more difficult for adversaries to get, and adopt multifactor authentication.
Companies relying on managed service providers (MSPs) should also consider how their partners manage their network and secure their connections, he continues. If ransomware gets inside an MSP and targets its network and clients, youll want to know whether its staying up to date with patch management.
If an attack is successful, organizations should be prepared to respond quickly. Wojcieszek advises building their incident response plans with ransomware-specific policies and determine their stance on paying ransom.
Related Content:
Attackers Adapt Techniques to Pandemic Reality
Malicious Use of AI Poses a Real Cybersecurity Threat
7 Secure Remote Access Services for Todays Enterprise Needs
State of Cybersecurity Incident Response
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays featured story:
How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic
.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Maze Ransomware Operators Step Up Their Game