Maze Ransomware – Need to Know Basics

Preface

A leading global IT service provider, confirmed on 18th April that a security incident involving its internal system led to some disruption, as the result of a Maze ransomware attack. As a responsible industry player, the company has not only informed its clients but also reported the incident to the relevant government authorities. Security teams of the company, with the help of experts, are actively taking steps to contain this incident. It has also engaged with law enforcement authorities on the matter.

The Maze ransomware attack is an example of advancing malware that tends to move laterally in the network and has the potential to cause disruptions, as per the information available. Since the COVID-19 outbreak, Maze ransomware is targeting companies across sectors, including Healthcare, IT/ITeS and Banking across the globe. It supposedly gets delivered via emails having attachment embedded with macros to encrypt files using sophisticated techniques.

Background

From late 2019, MAZE Ransomware started becoming infamous for its Encryption, data stealing and the subsequent selling of the stolen data. Few other reasons behind its popularity are also its unique targets and the ransom demands.

The threat actors behind Maze ransomware use several methods to breach a network, which include fake cryptocurrency sites and malspam campaigns that impersonate government agencies and security vendors and asking users to open the attachments in emails/websites. Whereas, in some instances, the victim machines were breached already, much before the actual ransomware attacks. Following a network breach, the threat actor first exfiltrates, or steals, company files before encrypting computers and network shares. The actors then demand a victim-specific ransom in exchange for the decryption key. The ransom demands by the Maze group vary depending on the data acquired from a compromised network (victim) and the victims’ ability to pay. These demands were mostly in bitcoins and vary from a few hundred to few millions of dollars. Maze actors threatened to publicly release confidential and sensitive files from a US-based victim to ensure ransom payment.

The malware was found distributed by exploit kits like Fallout and Spelevo exploiting unpatched vulnerabilities in Internet Explorer and Adobe Flash CVE-2018-8174, CVE-2018-15982, and CVE-2018-4878. The synopsis is briefed below:

CVE-2018-8174 – A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka “Windows VBScript Engine Remote Code Execution Vulnerability.
CVE-2018-15982 – Successful exploitation could lead to arbitrary code execution.
CVE-2018-4878 – This vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution.

Although these are past cases, there’s a possibility now that MAZE actors may use other vectors for the attack as well.

Precautionary Measures:

Common infection vectors used by Maze Ransomware are phishing emails with MS Office attachments and fake/phishing websites laced with Exploit Kits. Hence we advise our end users to exercise caution while handling emails from unknown sources, downloading MS Office attachments and clicking on suspicious links.
Users are recommended to disable macros in Microsoft Word and be highly suspicious of any document requesting that they be enabled.
The dropper appears to most frequently contact the C2 for the download of the subsequent stage of the ransomware at an address of the format http://<IP>/wordupd.tmp. It is recommended that URLs of this format be blocked.
Deploy Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.
Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.
Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

Other best practices

Here are a few additional guidelines which will help to minimize the attack surface & possible damage to IT infrastructure:

Patch the OS and Software:

Keep your Operating System and other software updated. Software updates frequently include patches for newly discovered security vulnerabilities which could be exploited by attackers.
Do not download cracked/pirated software, as they risk backdoor entry for malware into your computer.
Avoid downloading software from untrusted P2P or torrent sites. In most cases, they harbor malicious software.

Access Privileges:

Audit Local /Domain Users and remove/disable unwanted users.
Use complex passwords with strict password policy like 8 characters with a combination of alphanumeric and special characters (@#$%*)
Keep strong and unique passwords for login accounts and network shares.
Disable unnecessary, admin share and Enable access permission to shared data as per requirement
Disable Desktop Protocol (RDP) if note required, Else, set appropriate rules to allow access from only specific & intended Hosts. Besides, use rate limiting, two-factor authentication (2FA), virtual private network (VPN).
Audit RDP access & disable it if not required.
Don’t assign Administrator privileges to users.
Don’t stay logged in as an administrator, unless it is absolutely necessary.
Avoid browsing, opening documents or other regular work activities while logged in as an administrator.
To minimize the potential impact of a successful ransomware attack against your organization, ensure that users only have access to the information and resources required to execute their jobs. Taking this step significantly reduces the possibility of a ransomware attack moving laterally throughout your network. Addressing a ransomware attack on one user system may be a hassle, but the implications of a network-wide attack are dramatically greater.

Network and Shared folders:

Attackers, in almost all cases, use PowerShell scripts to exploit the vulnerability, so disable the PowerShell in the Network. If you require PowerShell for internal use, then try to block the PowerShell.exe connecting to public access.
Audit gateway system & check for misconfiguration, if any. (E.g. Improper forwarding is done, if any)
Create a separate network folder for each user when managing access to shared network folders and disable if found
Don’t keep shared software in executable form.
Use anti-ransomware protection.

Email Security:

Strengthen email security to detect harmful attachments
Enable Multi-Factor authentication to ensure all logins are legitimate
Set password expiration & account lockout policies (in case the wrong password is entered)
Don’t open attachments and links in an email sent by an unknown, unexpected or unwanted source. Delete suspicious-looking emails you receive from unknown sources, especially if they contain links or attachments. Cyber-criminals use ‘Social Engineering’ techniques to trick users into opening attachments or clicking on links that lead to infected websites.
Always turn on email protection of your antivirus software
Deploy Mail Security Solutions and sandboxing

Back up your data and files:

It is essential that you consistently back up your important files, preferably using air-gapped storage [which is physically isolated from unsecured networks]. Enable automatic backups, if possible.
Protect all backups with a unique complex password (mentioned in users and privileges).
Always use a combination of online and offline backup.
If your computer gets infected with ransomware, your files can be restored from the offline backup, once the malware has been removed.
Do not keep offline backups connected to your system as this data could be encrypted when ransomware strikes.
Sandboxing can also help you to restore the data in last known good condition.

Awareness Training:

It is important to build awareness among employees to uplift Human Firewall to recognize potential threats proactively and have defense mechanism in force. Trust you understand, E-mail has become a priceless communication tool, both for business and personal use. Among the many security issues that affect computer users, there is a quickly growing threat known as “phishing”. Hackers use phishing attacks to lure the unsuspecting into visiting a fraudulent web site, calling a fraudulent phone number, or downloading malicious software, specifically, to steal sensitive information such as credit card numbers, account credentials, social security numbers, PINS, or passwords. Take the time to educate your users, and ensure that if they see something unusual, they report it to your security teams immediately.

Do connect us at info@primeinfoserv.com for any further information.

THE “PDP LAW’ ERA AND CYBER PROTECTION LAW URGENCY - Prime Infoserv LLP on GDPR and VAPTAugust 20, 2021
[…] for obtaining those personal data and information for their individual gain. In this scenario, GDPR provides a firm stance…
THE “PDP LAW’ ERA AND CYBER PROTECTION LAW URGENCY - Prime Infoserv LLP on GDPR – The EssentialsAugust 20, 2021
[…] one of the most popular laws related to cyber protection is the General Data Protection Regulation (GDPR) that addresses…