What is Maze Ransomware and How Does it Work?

Maze Ransomware has been in the headlines non-stop ever since it was first reported in May 2019, when its authors used “Missed package delivery” and “Your AT&T wireless bill is ready to view” emails to trick recipients into opening messages with malicious payloads. Maze has been used to attack individual companies, governments, and increasingly – and perhaps most worryingly – managed service providers (MSPs), many of whom serve small to midsize businesses. This is why it is so important to work with an MSP who takes cybersecurity seriously, not only for their clients but for themselves. MSPs who allow themselves to be compromised by ransomware can, in turn, introduce it into the networks of their clients in an almost endless trail of destruction.

Although Maze was shut down in November 2020, it’s still worth studying because the tactics its authors employed — stealing data and seeking to embarrass victims, in addition to ransoming data with encryption — have inspired countless cybercrime imitators.

So what is Maze ransomware, why is it so infamous, and what can we learn from it?

What is Maze ransomware?

To start understanding Maze Ransomware, it’s important to define what exactly it is. The Maze ransomware itself is a 32 bits binary file, usually in the guise of a .exe or .dll file.

Once Maze is deployed on an end user’s machine (we’ll discuss the “how” later on), it does the following:

  • Encrypts user files and sends a ransomware payment demand
  • Copies user data to be sold later, most likely on the Dark Web – escalating an infection from “ransomware” to “data breach”
  • Creates backdoors to enable the malicious actors behind the ransomware to have continued access to the system
  • Attempts to spread within the network and beyond

The Maze code is sophisticated and includes many obfuscation techniques designed to evade common security techniques and security teams.

Organizations believed to have been hit by Maze ransomware include the likes of Canon, tech and consulting giant Cognizant, and Conduent, which provides HR and payment infrastructure to “a majority of Fortune 100 companies and over 500 governments.” The impact of Maze ransomware was so massive that the FBI issued a specific warning about it.

How Maze ransomware works

Initial deployment

In most cases, Maze is deployed onto the victim’s machine using a phishing email – increasingly common is a spear-phishing email – containing a malicious attachment, such as a macro-enabled Microsoft Word document or password-protected zip file. From examples seen in the wild, this document is often named something innocuous yet tempting, such as “Quarterly Report” or “Confidential Data Set.”

Once it has been successfully deployed – that is, a user has opened the compromised document in the previous phishing example – it begins propagating within the user’s system. Simultaneously, it starts spreading laterally within the network, seeking ever-higher access privileges in order to do more damage. During this period, files start being encrypted, often affecting both the user’s local machine as well as cloud storage.

It is at this point that the ransomware payment demand usually appears, spelling out the attacker’s requirements and method of payment – usually with crypto-currency.

Evasion techniques

How does Maze ransomware evade common security measures?

First off, it starts with a zip attachment that is encrypted with a password and/or a document that includes a macro. This makes it very difficult for email security solutions to detect Maze ransomware, because:

  • They cannot automatically open the file protected with a password
  • They do not normally scan zip files
  • Scanning macros are a challenge for these solutions
Scanning for vulnerabilities

Next, the Maze ransomware scans the network for vulnerabilities. It looks for any weaknesses in network configuration, and across multiple Active Directory attributes. This way it gains critical insights and intelligence on the network itself and can embark on the next phase of its sinister mission.

Lateral movement

The Maze ransomware now begins moving laterally within the network. It does this initially by investigating the infected machine for clues regarding moving to the next machine and through the network, constantly scanning for passwords that are not well-protected. Should this prove unsuccessful, it moves on to other means such as brute-forcing access to new user accounts.

Getting elevated privileges

Just moving laterally is not enough for attackers. They want to constantly be improving their level of access privileges to access more information and gain more control over the system. With elevated privileges, spreading the infection becomes easier and quicker.

How to protect against Maze ransomware

There are 4 primary ways of protecting against Maze Ransomware. These are:

  1. Protecting each endpoint (computer or device)
  2. Protecting cloud services, such as email and collaboration suites
  3. Preventing the lateral movement of the ransomware
  4. Backing up your data
Detecting Maze pre-delivery

With the vast majority of Maze ransomware attacks starting with a phishing email, the logical and most effective place to start is with a cloud email protection solution. This stops the problem upstream, preventing much damage down the line.

Protecting each endpoint

Next, it’s important to protect individual endpoints from infection. Merely installing antivirus software on PCs is not sufficient. Using remote monitoring and management (RMM) software, an MSP can ensure that no individual machines have been compromised and that any attempt to infect individual machines is picked up and dealt with as early as possible. (Of course, MSPs should be even more watchful for problems on their own networks.)

Preventing the lateral movement of the ransomware

As we’ve seen, Maze ransomware will attempt to move laterally within the organization. Again, at this stage, an RMM tool is your best chance of keeping your network secure and isolating the infected machine, without necessitating a complete shutdown of the entire network.

Backing up your data

Properly backed-up data is key to ensuring business continuity in the case of an attack – and something that helps you sleep well at night. If you have a complete and ransomware-free backup of your data, you can wipe out ransomware and effectively roll back the clock to before the attack occurred.

Unfortunately, too many businesses discover too late that their backups are not as complete as they might have hoped — or that attackers were able to corrupt their backups along with their operational systems. Make sure your backups are reliable, complete, and hardened against attack.

Some of the solutions we offer

Working with our technology partner Datto, we offer solutions to protect your business at every level, including:

  1. Datto RMM for remote monitoring and management of your PCs, servers, and network, with specific features for ransomware detection and remediation.
  2. A complete suite of backup solutions for data on your own servers and in cloud services like Microsoft 365, Microsoft Azure, and Google Suite, all of which can come under attack.
  3. SaaS Defense for Microsoft 365, which blocks incoming malware attacks spread by email or through collaboration tools like Microsoft Teams before they reach the end-user.
Maze and its sequels

Maze variants and imitators are popping up all the time and are sure to do further damage in the future. Having said that, the response to Maze ransomware as outlined here is a robust way to protect users and your organization against Maze and other ransomware attacks.

Contact us today to learn how we can help you protect yourself against the latest threats.