Posted   by 

Maze Ransomware Sophos



It’s been a year since the Maze ransomware gang began its rise to notoriety. Previously identified as “ChaCha ransomware” (a name taken from stream cipher used by the malware to encrypt files), the Maze “brand” was first affixed to the ransomware in May, 2019.

2 days ago A Guide to the NIST Cybersecurity Framework IDaaS: A New Era of Cloud Identity COVID-19 Creates Opening for OT Security Reform Phishing Attack Targets Microsoft 365 Users With Netflix & Amazon Lures Attacker Dwell Time: Ransomware’s Most Important Metric Microsoft: Ransomware & Nation-State Attacks Rise, Get More Sophisticated DDoS Attacks. Mar 15, 2021 Sophos first detected and blocked a DearCry attack on a customer’s network in Austria on March 13. A few days earlier, on March 11, the same Exchange server was hit with a webshell, which was also blocked. The anti-ransomware team within SophosLabs evaluated two samples of DearCry for this analysis. SophosLabs. SophosLabs Uncut. cobalt strike. Egregor. Qakbot. Qbot. Ransomware. SystemBC A new variant of the Sekhmet ransomware has stepped into the ransomware-as-a-service game, picking up where Maze left off. 8 December 2020.

Initial samples of Maze were tied to fake websites loaded with exploit kits. Since then, Maze has been delivered by multiple means: exploit kits, spam emails, and—as the group’s operations have become more targeted—Remote Desktop Protocol attacks and other network exploitation.

But aside from the gang’s adjustments in initial compromise approaches, the Maze group has risen in prominence largely because of its extortion tactics: following through on threats of public exposure of victims’ data in public “dumps” of victims’ stolen data, and offering victim data on cybercrime forums if no payment is made.

While Maze did not invent the>SHA256filename4acba1590552c9b2b82f5a786cedc8a12ca457e355c94f666efef99073827f89love.dll20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acdargfdg, arsgt35yy, maze.exe3c2be967cbaaafecf8256167ba32d74435c621e566beb06a1ead9d33d7e62d64Attack!.rar7a84d10ac55622cdac25f52170459ae5b8181ee3fc345eb1b1dcbd958b344aa6Ave Kim, Emperor.exe

You’ve probably heard terms like “spray-and-pray” and “fire-and-forget” applied to cybercriminality, especially if your involvement in cybersecurity goes back to the early days of spamming and scamming.

Those phrases recognise that sending unsolicited email is annoyingly cheap and easy for cybercrooks, who generally don’t bother running servers of their own – they often just rent email bandwidth from other crooks.

And those crooks, in turn, don’t bother running servers of their own – they just use bots, or zombie malware, implanted on the users of unsuspecting computers to send email for them.

Six years ago, when home networks were generally a lot slower than they are today, SophosLabs researchers measured a real-life bot sending more than 5 million emails a week from a single consumer ADSL connection, distributing 11 different malware campaigns as well as links to nearly 4000 different fake domains that redirected via 58 different hacked servers to peddle phoney pharmaceutical products. Best, or worst, of all – because outbound emails are mostly uploaded network packets – the bot barely affected the usability of the connection, making it unlikely that the legitimate user of the ADSL account would notice from traffic alone.

The theory was simple: the cost of failure was so low that the crooks could pretty much dial-a-yield by setting their spamming rates as high as needed to suit the campaign they were running.

So the “spray-and-pray” equation was simple: to get 100 people interested with a click-rate of one in a million, the crooks had to send 100 million emails.

And with a zombie network capable of doing more than 5 million emails per computer per week, you could spam out those 100 million emails in the course of a single hour with a 3000-strong botnet.

(Some notorious zombie networks have given their botmasters remote control over hundreds of thousands or millions of devices at the same time.)

What has all this got to do with contemporary targeted ransomware like Maze?

Well, it reminds us that cybercriminals can make off with vast amounts of money, even though by some metrics their success rate sounds terrible.

Simply put, online crooks are no strangers to the upbeat verse that tells us:

Try, try again

Ransomare attacks are one especially destructive part of the cybercriminal underground where the crooks don’t mind failing, and where they are perfectly willing to try again.

In fact, it’s almost become part of their game plan: a sort of “third time lucky” approach.

The crooks are usually already inside your network by the time they unleash the ransomware part of their attack, and they usually spend the early part of their attack mapping out your network and acquiring similar (or perhaps even superior) access powers to your own sysadmins.

So they can afford to take the time to perform experiments, and if at first they don’t succeed, they’re more than ready to spend their time finding another way.

And with ransom demands getting into eight-figure territory these days – by which we mean extortion demands of $10,000,000 or more – you can see why.

For a fascinating insight into the minds of these money-grabbing blackmailers and their “try, try again” techniques”, we recommend the latest SophosLabs report, entitled Maze attackers adopt Ragnar Locker virtual machine technique.

The report is the result of an investigation by indefatigable Sophos Managed Threat Response expert (and occasional Naked Security writer) Peter Mackenzie and his colleagues, who were called in to deal with a network attack by the infamous Maze ransomware gang.

After two failed attempts to launch their ransomware files directly, the crooks resorted to a technique that we first wrote about when the the Ragnar Locker crooks used it: setting up a virtual machine (VM), and running the malware in that.

Intriguingly, this represents a complete turnaround in the attitude of cybercriminals to VM software such as VMWare, VirtualBox and Parallels.

Some crooks go out of their way to avoid infecting virtual machines altogether, mainly to prevent their malware running inside a research lab or sandbox system, where VMs are usually used for scalablity and convenience. (VMs are much quicker and easier to reset to a known clean condition than re-imaging a physical hard disk.)

Maze ransomware attack

But ransomware crooks have realised that introducing a VM of their own to run their file scrambling malware gives them a chance to run it in a software environment of their choice – the Ragnar Locker gang decided to use Windows XP, presumably because it’s compact and doesn’t do any pesky licensing checks.

In this latest Maze attack, the crooks delivered their own VM containing Windows 7 and all the operating system components needed to launch a full-blown virtual Windows desktop that they knew was compatible with their malware – a whopping 700MB disk image, all to run just 2.5MB of malware code.

Sophos Maze Ransomware

Three tries and a double whammy

Maze Ransomware Sophos Download

Like many ransomware gangs, the Maze crew don’t just scramble your files these days – they take the time to steal some or all of your critical data first before bringing your network to a halt, thus giving them a double reason to extort money from you.

A year ago, you might have expected a Maze attack to leave behind a pre-recorded threat like this:

https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2020/05/demand.mp3

Listen to the audio message that plays after a Maze attack

Note how the crooks focused on the decryption of your precious files as the reason to pay up.

Today, the threat is two-pronged:

These days, you’re paying hush money for the crooks to keep quiet about the data breach aspect of the attack, as well as paying to get your business running again.

What to do?

Maze Ransomware Attack

In case you’re wondering, the crooks demanded $15,000,000 this time, but the victim said, “No,” to which we say, “Good on you.”

Those who refuse to do deals with the criminals deserve our respect, even if we might also feel critical because the victim suffered a data breach in the first place.

Maze Ransomware Sophos Free

It’s easy to say that you’d do the same and refuse to pay, because of the moral princples involved, but it’s a different matter when it’s your business and your staff looking straight into the barrel that the crooks have shoved in your faces.