It’s been a year since the Maze ransomware gang began its rise to notoriety. Previously identified as “ChaCha ransomware” (a name taken from stream cipher used by the malware to encrypt files), the Maze “brand” was first affixed to the ransomware in May, 2019.
Sophos Maze Ransomware
Initial samples of Maze were tied to fake websites loaded with exploit kits. Since then, Maze has been delivered by multiple means: exploit kits, spam emails, and—as the group’s operations have become more targeted—Remote Desktop Protocol attacks and other network exploitation.
But aside from the gang’s adjustments in initial compromise approaches, the Maze group has risen in prominence largely because of its extortion tactics: following through on threats of public exposure of victims’ data in public “dumps” of victims’ stolen data, and offering victim data on cybercrime forums if no payment is made.
While Maze did not invent the>SHA256filename4acba1590552c9b2b82f5a786cedc8a12ca457e355c94f666efef99073827f89love.dll20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acdargfdg, arsgt35yy, maze.exe3c2be967cbaaafecf8256167ba32d74435c621e566beb06a1ead9d33d7e62d64Attack!.rar7a84d10ac55622cdac25f52170459ae5b8181ee3fc345eb1b1dcbd958b344aa6Ave Kim, Emperor.exe
Maze Ransomware Sophos Security
Sophos, the global provider of next-generation cybersecurity solutions, has published a report, “Maze Attackers Adopt Ragnar Locker Virtual Machine Technique,” which shows how attackers tried three different ways to execute Maze ransomware during a single attack while demanding a. While conducting an investigation into an attack in July in which the attackers repeatedly attempted to infect computers with Maze ransomware, analysts with Sophos’ Managed Threat Response (MTR) discovered that the attackers had adopted a technique pioneered by the threat actors behind Ragnar Locker earlier this year, in which the ransomware payload was distributed inside of a virtual machine (VM).