Maze Ransomware

The Maze Ransomware is a file-locking Trojan whose campaigns target inadequately protected business networks frequently. Besides blocking files and extorting money from victims, it includes notably in-depth means of obfuscating its code and network traffic and may exfiltrate private information for public release onto the Internet. Users should respond to possible attacks, as always, through removing the Maze Ransomware with anti-malware products and recovering from a backup.

Twists and Turns with Labyrinthine Trojans

Taking a Trojan's word always is a tricky prospect that invites self-destruction. Threats like the Axzyte Ransomware, the W1F1RANSOM Ransomware, or the recent and intrusive CoronaLocker make warnings with deliberately-inaccurate information on the attacks and their consequences. At the same time, however, long-running file-locking Trojan projects like the Maze Ransomware have threats that they're capable of backing up with action.

The Maze Ransomware is a file-locker Trojan targeting Windows systems (in some versions, only Vista are newer) that's being maintained by what's possibly a threat actor in or near Russia. It receives regular developmental attention for scrambling identifying traits like its component filenames and devotes extreme attention to obfuscating its code, employing 'false lead' tricks like garbage code or forged networking data, and other anti-debugging workarounds. Additionally, the standard operating procedure for the Maze Ransomware threat actor (either an individual or, possibly, a group) involves reconnaissance on compromised networks that may hold for weeks.

These particular features and deployment mindset help separate the Maze Ransomware from the more casual Ransomware-as-a-Service or freeware campaigns, like the attacks of the STOP Ransomware or Hidden Tear variants. The Maze Ransomware is, however, generally similar to them in its use of two-algorithm encryption for locking files: ChaCha and RSA, in its case. It also destroys the Shadow Volume Copy backups and creates ransom notes in every available folder and the desktop. Network shares are just as much at risk as local drives for encryption.

Trapped in a Maze Ransomware without an Easy Way Out

The Maze Ransomware warns its victims that it will display the company's misappropriated data on a public website in any case of nonpayment. Although malware researchers find many of these warnings among other Trojans as being bluffs, in the Maze Ransomware campaigns, the assertion is genuine. The threat actor is maintaining a website with publicly-viewable data concerning compromised servers and the Trojan's various victims, which, at the latest, include corporations like information technology provider Cognizant.

Despite the degree of programming work in the Maze Ransomware, its installation hinges on many of the common vulnerabilities and infection vectors. The threat actor has a history of brute-forcing Remote Desktop services, as well as using EK bundles like the Fallout Exploit Kit, and e-mailing fraudulent documents with drive-by-download macros. All users can patch their software, disable macros, and use proper passwords for eliminating most of the possibility of a Maze Ransomware infection.

Anti-malware utilities, if working with updated databases, still, have a reasonable chance of removing the Maze Ransomware securely before its attacks can launch and begin blocking files.

Once the Maze Ransomware gets onto any Windows computer, it's a sign that the user's information is in the hands of a stranger almost entirely. Since all exits from such a situation involve financial damage, one way or another, foresight remains key to reducing the money-generating potential of the file-locker Trojan industry.