December 8, 2023

A small write up on Maze that gets the fame light in recent times. Traditional but it’s powerful when compared to others

What is Maze?
Maze, also known as ChaCha, is ransomware that was first observed in May 2019. At first, Maze was a rather unremarkable instance of ransomware that was involved in extortion campaigns. Beginning around October of 2019, Maze became more aggressive and more public.

Going a step beyond nearly any malware ever seen, in November of 2019 Maze began publicly outing their campaign victims by posting the names of the companies that have not complied with their ransom demands. Attack campaigns employing Maze typically pose as legitimate government agencies and security vendors to steal and encrypt data to then attempt to extort the data owner.

Maze is used as a part of a multi-pronged cyberattack. Generally speaking, Maze is observed appearing in the second or third step of these campaigns and is less likely to be used as an initial access technique.

What makes Maze different from other ransomware?

Maze’s functionality far exceeds this traditional ransomware approach by using a 1-2-3 combination of:


When comparing Maze to most of the other ransomware out there, the clear difference is its abilities to both exfiltrate the encrypted data and extort the victim. The end result of this is the ability to hit victims with what has been described as a ransomware “double whammy” — whereas most ransomware mere encrypts local victim data, Maze can apply more pressure to victims by threatening to leak sensitive data.

This threat should be taken seriously, as Trend Micro researchers have noted that attack groups using Maze have made good on this threat and indeed released sensitive victim information to the public via “name and shame” websites. Occurring in mid-December of 2019, this leaking entailed posting documents and raw databases belonging to noncompliant victims.

How does Maze work?
Ransomware only needs to gain entry to a system to work, gaining this entry is far more than the proverbial “half the battle” and more like the battle itself.

Unlike other ransomware that typically uses social engineering and spam email campaigns to gain entry to a targeted system, Maze uses exploit kits via drive-by downloads. As you know, exploit kits are a compilation of known software vulnerabilities that, taken as a whole, serve as an all-in-one exploit tool kit.

One of the exploit kits Maze uses is called Fallout, which uses various exploits found on GitHub. One of these vulnerabilities is a Flash Player exploit, CVE-2018-15982. Fallout is a relatively new exploit kit that uses PowerShell instead of the web browser to run its payload. Maze has also been observed using Spelevo, another exploit kit.

For some unknown reason, the Maze group did not make good on its threat to publish sensitive information and posted the list of leak data and hosts to serve as proof of the attack. This is beyond uncommon for a ransomware attack.
Stay home, stay safe

Ransomware has been around for a few years now and we are starting to see instances of this type of malware that break the mold and forge a new direction. Maze differs from other ransomware in many significant ways — from its capabilities to the heart of the ransomware attack itself, gaining entry.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.