Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:50 PM
Connect Directly

Maze Ransomware Operators Step Up Their Game

Investigations show Maze ransomware operators leave "nothing to chance" when putting pressure on victims to pay.

Maze ransomware made headlines when it targeted IT services firm Cognizant in April. Incident response experts who investigated this and previous Maze attacks report new insights on ransomware tactics that could make it harder for businesses to defend themselves.

In working with a client, Kroll incident response experts gained access to a discussion with Maze ransomware operators who revealed some of the group's inner workings. This, combined with a new FAQ file Maze published on its "shaming" website, gives analysts the impression that Maze operators "are leaving nothing to chance" when pressuring victim organizations to pay quickly.

Laurie Iacono, vice president with Kroll's Cyber Risk team, started looking into Maze toward the end of 2019 when it launched the shaming website. "As early as January of 2020, they really started focusing on that shaming site, and they were the first ones to put up a shaming site like that," she explains. The purpose of the website was to share victims' names and stolen data. The longer it takes businesses to pay Maze ransom, the more information the group publishes.

"You have so long to pay the ransom or you get on the site," Iacono says. As she continued to check the site in early 2020, she noticed frequent changes to make it more user-friendly. Maze used it as a platform to share who their victims were as well as to post group communications. "We're almost seeing them become more transparent about what they're doing, which is interesting to see in the ransomware operator's world," she adds. 

Still, this doesn't mean the group will stick with its statements. In mid-March, as the coronavirus began to ramp up across the United States, Maze operators issued a release claiming they weren't going to attack healthcare organizations amid the pandemic. Other ransomware groups followed suit. But around the same time Maze made this promise, the group was reportedly in the process of extorting money from Hammersmith Medicines Research, a UK research facility. 

Other ransomware groups have taken note of Maze's shaming site and launched their own earlier this year, Iacono says, pointing to Sodinokibi and DoppelPaymer as examples. The other groups post less frequently, she notes, but their technique is similar to Maze's. She believes the prime motivation is to encourage faster payments, which isn't always easy given the attackers' demands: Maze's initial ransom demands nearly $2.3 million, Kroll reports, citing Coveware data.

In the writeup of their findings, Kroll experts advise businesses to heed Maze's claims and threatened retaliations for refusing to pay when considering incident response strategies. No industry is safe, they say, and Maze looks for data to cause reputational and regulatory harm. If the group doesn't get payment from the victim organization, it will move on to its customers. One healthcare client, for example, was attacked with Maze ransomware and discovered the group sent emails directly to patients threatening to expose their personal health information.

In another case, Maze told a mortgage firm it had 24 hours to pay ransom or the group would publish stolen data. The company's email system had gone down two weeks prior and it was told a virus was to blame; in hindsight, it believed its server was hit with ransomware. Kroll also worked with an insurance broker that was alerted to server failure; an investigation showed attackers had logged in to the server with elevated privileges using the COO's credentials. Two days later, the insurer's files were encrypted, and it received a ransom note.

"They tend to use all kinds of ways to compromise systems," Iacono says. Maze tends to use known vulnerabilities like the Pulse VPN CVE-2019-11510 to break in. Once inside, it downloads anywhere from 100GB to 1TB of data, with a focus on proprietary or sensitive data that can be used for regulatory action, lawsuits, or pressure to pay. The group claims credentials taken from nonpaying victims will be used to target their partners and clients.

It's tough to defend against Maze because the group uses a lot of the same legitimate tools that businesses use. Organizations can't always make a blanket statement and block certain tools to protect against the group, because it could be something they'd use in their day-to-day business. Kroll notes that Maze uses tools like Mimikatz and Advanced IP Scanner to facilitate lateral movement.

Tips for Blocking Advanced Attackers
A new concern for organizations is that Maze's operators have compressed their decision-making process. In the past, businesses had more control how and when to share the details of a breach; now, attackers might reach out to the media or customers before they have a chance to respond.

"This isn't an average person," says Keith Wojcieszek, managing director in Kroll's Cyber Risk practice. "These attackers are very sophisticated, very educated." Taking care of yourself up front is "extremely important" in plotting out a strong defense. Patching systems is essential.

"It's one of the most important things, especially for ransomware, because they're looking for these vulnerabilities," Wojcieszek says of the Maze operators. He advises making offline data backups, which are more difficult for adversaries to get, and adopt multifactor authentication.

Companies relying on managed service providers (MSPs) should also consider how their partners manage their network and secure their connections, he continues. If ransomware gets inside an MSP and targets its network and clients, you'll want to know whether it's staying up to date with patch management.

If an attack is successful, organizations should be prepared to respond quickly. Wojcieszek advises building their incident response plans with ransomware-specific policies and determine their stance on paying ransom.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/11/2020 | 2:56:14 PM
The way this sounds, this was from an internal attack
Maze's initial ransom demands nearly $2.3 million, Kroll reports, citing Coveware data.

The first question is why didn't they just pay the ransomware after they identified the systems were being encrypted and the applications just stopped...After this Cognizant took the other systems offline and many of the company's clients suspended the access to Cognizant's networks.

Besides, the primary applications affected are VDI (Virtual Desktops) and WFH Laptops; that means that someone gained access to the laptop or VDI session, sent the Maze Ransomeware to a specific set of servers, ran the application across firewalls, IDS/IPS, and Antivirus/Malware tools and executed its payload to encrypt and stop services on Windows or Linux servers (some of which were hardened, some VDI environments are not as hardened as some might think).

There have been conversations that Cognizant is an Indian first organization where they bring in Americans to get the business then fire or lay them off to hire people from India (lower cost) to increase their bottom line. Sounds to me someone was pissed and partnered with the Maze group to offer their services, remember, they use equipment to check the lateral movement of certain actors, almost like this had a business model approach.

Are Maze operators behind the attack on the IT services giant ...

This is the screen that came from the attack.

IT Service Giant Cognizant Hit With MAZE Ransomware Attack

Again, I am not saying that things just happen, but I do believe that there is a thing called Karma when you treat people wrong, they oftentimes retaliate, I don't think this is just a fluke, the plot\ will continue to thicken (where is NSA or CyberSecurity Division when you need them).


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.