In this article

Cynet Detection Report: Maze Ransomware

August 10, 2020

Last Updated: January 15, 2024

Share on:

Written by: Eran Yosef, Ben Gold, and Asher Davitadi

EXECUTIVE SUMMARY

In late 2019, the hacker group TA-2101 had used Fallout and Spelevo exploit kits to distribute multiple malwares. The group used emails to target health care related environments around the US. The Maze Ransomware (also known as ChaCha Ransomware) uses RSA and ChaCha20 ciphers for its encryption process and is used was by the attackers to extort the victims for payment, communicating via email – the ransomware generates different payment amounts depending on what the endpoints was used for (home computer, server, or workstation.)

Cynet 360 detects the ransomware in multiple stages of the attack. The detection includes Maze’s binary being dumped on the disk, SSDeep similarity, execution of the ransomware on an endpoint and using Cynet’s heuristic detection to seek file renames and more.

This is part of an extensive series of guides about Ransomware Protection

CYNET DETECTION

Cynet 360 protects your environment against this type of attack. This type of attack is detected by Cynet on our protected environment alerting for malicious activities, using the following mechanisms.

Note that the action set for our environment is to alert only, to not interrupt the ransomwares flow, allowing Cynet to detect every step of Mazes Ransomware attack flow.

MALICIOUS BINARY

Fast Scan engine – This alert triggers when Cynet detects a file hash (SSDEEP) which is highly similar to a file hash that is flagged in our threat intelligence database as malicious. The idea behind this alert is to detect new variants of known malware.

Memory Pattern

Default Configuration – This alert is triggered when Cynet detects memory strings which are associated with Malware or with malicious files.

RANSOMWARE HEURISTIC

ADT – Advanced Detection Technology – This alert triggers when Cynet detects suspicious behavior which can be associated with Ransomware (such as changing file extensions to “.Lock”).

Malicious Process Command

ADT – Advanced Detection Technology – This alert triggers when Cynet detects a CMD process which executes a command that contains suspicious arguments or is associated with malicious patterns. “VSSADMIN delete shadow /all” is an approach of ransomware in order to delete the shadow copies. Shadow Copy is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use. It is implemented as a Windows service called the Volume Shadow Copy service.

INVESTIGATION OVERVIEW

After execution, Maze ransomware renames the encrypts file with a random extension for each file:

Once a computer’s files have been encrypted and renamed, it changes the computer’s background and creates a ransom note at several directories – the ransom notes are named DECRYPT-FILES.html.

The note itself contains an email address to contact the cybercriminals who will provide a decryption tool once the victim sends them the Base64 code which also contains details of the infected host.

RECOMMENDATIONS

Delete all malicious files indicated above.
Block traffic to malicious domain.
Use Cynet built-in remediation options to delete the file.
Use Cynet built-in remediation option to disconnect the HOST from the network.
Investigate incident according to organizations policy.
If necessary, format the endpoint.

Contact Cynet CyOps (Cynet Security Operations Center)

The Cynet CyOps team is available to clients 24/7 for assistance with any issues, questions, or comments related to Cynet 360. For additional information, you may contact us directly at:

Phone (US): +1-347-474-0048

Phone (EU): +44-203-290-9051

Phone (IL): +972-72-336-9736

CyOps Email: [email protected]