Maze ransomware is a sophisticated strain of Windows ransomware which targets organizations worldwide across many industries. As with other forms of ransomware, Maze demands a cryptocurrency payment in exchange for the safe recovery of encrypted data.
If maze ransomware victims refuse to pay, the criminals threaten to leak the victims’ confidential data. This behavior is increasingly seen in newer forms of ransomware, including REvil/Sodinokibi, JSWorm/Nemty/Nefilim, Clop, and others.
Developed as a variant of ChaCha ransomware, Maze was initially discovered in May 2019. Since December 2019, Maze has been very active in targeting victims across numerous industries.
In some cases, the attack may come from an organization’s client or partner who has already fallen victim to the hackers. Once Maze gains access to a network, the operators then try to get elevated privileges so they can deploy file encryption across all drives. Maze is particularly dangerous because it also steals the data it finds and exfiltrates it to servers controlled by malicious hackers who then threaten to release it if a ransom is not paid.
Organizations may be able to restore their data from a secure backup to get up and running again (if the backup itself has not been compromised), but that doesn’t undo the fact that criminals now have a copy of the organization’s data. Essentially, Maze is a combination of a ransomware attack and a data breach.
The creators of Maze operate a website where they list their victims (who they refer to as “clients”). On this website, they frequently publish samples of stolen data as a form of punishment. The website includes details of when victims were hit by Maze ransomware as well as links to downloads of stolen data and documents as “proof”. Provocatively, the website features the ironic slogan “Keeping the world safe” and even includes social sharing buttons so details of data breaches can be shared via social media.
The Maze ransomware website warns victims that, if the ransom is not paid, they will:
Maze is believed to operate through an affiliated network, where developers share their proceeds with various groups which use Maze in organizational networks.
In 2020, the criminals behind Maze teamed up with two other cybercriminal groups, LockBit and RagnarLocker, essentially forming a ransomware cartel. The criminals pooled their efforts, and data stolen by these groups was published on the Maze website. Following this collaboration, Maze used execution techniques that were previously only used by RagnarLocker.
At the end of 2020, the Maze ransomware group announced it was shutting down via a rambling statement. They said they would no longer be updating their website and that victims who wanted their data removed could contact their “support chat”.
The group claimed they had started the attacks to raise awareness of cybersecurity. At the same time, they confusingly claimed that the group had never really existed outside the heads of journalists who wrote about it.
They also claimed to have had access to the IT systems at the New York state government and several internet service providers (ISPs) yet chose not to attack them.
The group’s claims to have disbanded should be taken with a pinch of salt. Previously, ransomware operators GandCrab announced they were quitting, only to re-emerge running REvil/Sodinokibi. Similarities between Maze and two newly emerging strains of ransomware known as Egregor and Sekhmet have been observed – providing a strong indication that the group is simply pivoting to a new wave of cyber-attacks.
Notable examples of Maze ransomware victims include:
One of the most high-profile Maze ransomware attacks targeted Cognizant, a Fortune 500 company and one of the biggest providers of IT services in the world.
In April 2020, Cognizant was attacked by the Maze ransomware group, disrupting services to its customers. The attack encrypted and disabled some of its internal systems and forced it to take other systems offline.
The attack took place as the Covid-19 pandemic was underway when staff were attempting to work remotely. By disrupting computer systems supporting virtual desktop infrastructure, employees’ ability to work was affected. Internal directories were deleted, making it harder for staff to communicate with each other and sales teams to communicate with prospects and clients. In some cases, email access was lost.
Some of Cognizant’s clients opted to protect themselves from the malware by closing off Cognizant’s access to their networks, effectively putting projects on hold. Cognizant called in leading cybersecurity experts to assist their internal IT security teams. The Cognizant ransomware attack was also reported to law enforcement agencies, and Cognizant clients were provided with constant updates.
In its data breach notifications, Cognizant warned sensitive personal information such as Social Security Numbers, Tax IDs, financial information, driver's licenses, and passports might have been stolen. For employees who had corporate credit cards, the company warned that they were likely exposed during the attack. For those affected, Cognizant provided a free year of ID theft and dark web monitoring.
The Maze ransomware attack on Cognizant was estimated to cost the company between $50m and $70m in the immediate aftermath, with further costs incurred after that to fully restore its computer systems.
Cognizant customers include financial services companies ING and Standard Life, automotive company Mitsubishi Motors and HR services company PeopleSoft. The company did not disclose which clients were affected by the attack.
In August 2020, it was reported that Canon had fallen victim to a Maze ransomware attack. The gang exfiltrated up to 10TB of Canon’s data, with the incident affecting around 25 different Canon domains and a number of its internal applications, including email and collaboration services.
The Maze ransomware attack affected users of the 10GB free storage service. Canon acknowledged that any data or images saved before June 16, 2020, were lost but said there was no leak of image data. Though not accessible, thumbnails of this information could still be viewed online. But clicking on any of the snapshots produced an error on the website.
In July 2020, Maze ransomware operators claimed they had breached Xerox’s systems and threatened to leak massive amounts of data unless they were paid. The group posted a series of 10 screenshots on its website as proof of the breach. These screenshots indicated that the gang had stolen data related to customer support operations.
The city of Pensacola in Florida was attacked at the end of 2019. The Maze ransomware group threatened to leak data unless a $1 million ransom was paid. Reportedly, the group had stolen more than 32GB of data from the city’s infected systems. They leaked 2GB as proof of the attack.
As a result of the Maze ransomware attack, online payment services from Pensacola Energy and the City of Pensacola Sanitation Services were halted. Fortunately for residents, other services such as the police and fire departments were not affected.
It is recommended not to. The more people pay the ransom, the more likely criminals are to launch similar attacks in the future.
That said, some businesses may feel that unless they pay, their company cannot survive. There are no easy answers, and ultimately it is a decision for each organization to make based on their circumstances. Whatever they decide, it is recommended to involve law enforcement and to work closely with them so they can investigate who may be behind the attacks.
Regardless of whether organizations pay, it is vital to understand the security problems that led to the attack in the first place. Organizations should find out what went wrong and how to fix it to prevent cybercrime attacks in the future.
In response to the Maze malware approach, the FBI advises companies to consider proactively creating caches of dummy data. These fake data collections are intended to make it harder for attackers to successfully steal genuinely important files during a hack.
Ransomware continues to evolve. The best defense against it is proactive prevention because once data has been encrypted by malware or hackers, it is often too late to recover it.
Tips for organizations to help prevent ransomware attacks include:
Keeping software and operating systems updated will help protect you from malware. Apply patches and updates for software like Microsoft Office, Java, Adobe Reader, Adobe Flash, and internet browsers like Internet Explorer, Chrome, Firefox, Opera etc., including Browser Plugins. When you run an update, you benefit from the latest security patches, making it harder for cybercriminals to exploit vulnerabilities in your software.
As cybercrime becomes more widespread, ransomware protection has never been more crucial. Protect computers from ransomware with a comprehensive internet security solution like Kaspersky Internet Security. When you download or stream, the software blocks infected files, preventing ransomware from infecting your computer and keeping cybercriminals at bay.
Use a VPN to access the network instead of exposing Remote Desktop Protocol (RDP) to the Internet. Kaspersky Secure Connection provides online privacy and access to global content.
Regularly back up data to a secure, offsite location so you can restore stolen data in the event an attack occurs. An easy way to accomplish this is by enabling automatic backups instead of relying on a user to remember routinely. Backups should be regularly tested to ensure data is being saved.
Organizations should ensure that staff are informed about the methods used by cybercriminals to infiltrate organizations electronically. Train all employees on cybersecurity best practices such as:
Regardless of whether the Maze ransomware group disbands or simply morphs into another criminal group, the ransomware threat will continue. As ever, vigilance is needed to stay ahead of continually evolving cyberthreats.