Maze shutting down finally đŸ’«

The Maze cybercrime gang is shutting down its operations that began its operation in may 2019 after rising to become one of the most prominent players performing ransomware attacks.

A double-extortion tactic introduced by Maze to exfilterates the data before encryption

Once encrypted, they demand ransom . If victim fails to pay they publish those data in maze site which started to be in limelight

This double-extortion technique was quickly adopted by other large ransomware operations, including REvil, Clop, DoppelPaymer, who released their own data leak sites. This double-extortion technique has now become a standard tactic used by almost all ransomware operations.

Maze continued to evolve ransomware operations by forming a ransomware cartel with Ragnar Locker and LockBit, to share information and tactics.

During their year and a half cybercrime spree, Maze has been responsible for attacks on notable victims, including Southwire, City of Pensacola, Canon, LG Electronics, Xerox, and many more.

Maze started to shut down six weeks ago
In a similar manner as GandCrab did in 2019.lastly Barnes and Noble ransomware attack.

This threat actor stated that they take part in ransomware attacks by compromising networks and stealing Windows domain credentials. The compromised networks are then passed to affiliates who deploy the ransomware.

Maze has started to remove victims that they had listed on their data leak site. All that is left on the site are two victims and those who previously and had all of their data published.The cleaning up of the data leak site indicates that the ransomware operation’s shutdown is imminent.

It is not uncommon for ransomware operations to release the master decryption keys when they shut down their operation, as was done with Crysis, TeslaCrypt, and Shade.

Maze affiliates have switched over to a new ransomware operation called Egregor which began operating in the middle of September, just as Maze started shutting down their encryption operation.

This is believed to be the same underlying software as both Maze and Sekhmet as they utilize the same ransom notes, similar payment site naming, and share much of the same code.

This was also confirmed by a ransomware threat actor who stated that Maze, Sekhmet, and Egregor were the same software.when a ransomware operation shuts down, it does not mean the threat actors involved retire as well. They just move to the next ransomware operation.

Maze infects via VM đŸŸ

The gang responsible for the Maze ransomware family conducted an attack in which they distributed their malware payload inside of a virtual machine (VM).

The attackers packaged the ransomware payload inside of a Windows .msi installer file that was more than 700MB in size and distributed it onto the VM’s virtual hard drive.

A look inside the Maze-delivered VM, with the 495KB ransomware payload clearly visible. (Source: Sophos MTR)

An investigation into the attack revealed that the malicious actors had been present on the targeted organization’s network for at least six days prior to distributing their ransomware payload. During that period, they had built lists of internal IP addresses, used one of the organization’s domain controller servers and exfiltrated information to data leak site

This dwell time could explain the existence of certain configurations of the Maze-delivered VM. As quoted by Sophos’ MTR in its research:

The virtual machine was, apparently, configured in advance by someone who knew something about the victim’s network, because its configuration file (“micro.xml”) maps two drive letters that are used as shared network drives in this particular organization, presumably so it can encrypt the files on those shares as well as on the local machine. It also creates a folder in C:\SDRSMLINK\ and shares this folder with the rest of the network.

The campaign described above wasn’t the first instance in which attackers have delivered ransomware inside a virtual machine. Sophos’ MTR spotted the Ragner locker crypto-malware family pull the same trick.

The virtual machine in that attack ran Windows XP as opposed to the Windows 7 instance on the VM containing Maze. Furthermore, the latter VM was larger in size in order to support additional functionality.

Backup ! Backup ! Backup ! Not only required … Hygienic cyber policy required.

Rainy Ransomware August ! Strom hit

Large-scale breaches have mushroomed in 2020, with an increase of 273% in the first quarter as compared to the previous year. Ransomware is among the most common types of attacks and is up by 90%, as per a recent report

Tricks up their Sleeves

Ransomware operators have started using memory-mapped I/O to encrypt files, making it difficult for behavior-based anti-ransomware solutions to monitor malicious activities.

WastedLocker is using this technique to encrypt cached documents in memory, without causing additional disk I/O, which can shield it from behavior-monitoring software.

Researchers have identified a new element in recent Sodinokibi (REvil) campaigns, wherein they scan compromised networks for PoS software to make additional money from payment information. Attackers might directly use the payment information to strip accounts or sell them on underground forums.

Ransomware Attackers Up the Ante
Allegedly, Maze ransomware operators have infected the network of SK Hynix, the RAM and flash memory supplier, and leaked some of the stolen files on their website as proof of the infiltration, holding the semiconductor giant to ransom.

A ransomware attack targeted the services of SnapFulfil, a cloud-based warehouse management software provider, disrupting warehouse operations for a minimum of one of its customers. The U.K-based company is working with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) to restore its systems.

Hackers accessed guest and employee data and encrypted a portion of the IT systems of one of the brands of British-American cruise operator, Carnival, in a ransomware attack.

Netwalker ransomware operators attacked Forsee Power, a lithium-ion battery systems provider, and shared a few screenshots of folders containing sensitive data as evidence of the breach on their online blog.

Brown-Forman, the makers of Jack Daniel’s, lost 1TB of corporate data at the hands of Sodinokibi ransomware. Some of the other firms that fell victim to ransomware attacks this month include Konica Minolta, SPIE group, R1 RCM, Boyce Technologies, LG, Xerox, and Canon.

While many organizations use the conventional signature-based solutions to protect their data, files, and systems, they need to take a more comprehensive approach toward security to address the threats posed by evolving ransomware. Not only endpoint security protects… Defence in depth must be maintained at a granular level to upheld the security.

Maze Cartel ! Expands

The Maze ransomware “cartel” is growing.

Two more ransomware gangs, Conti and SunCrypt, have apparently joined the Maze collective, which currently consists of Maze, LockBit and Ragnar Locker.

Maze operators announced the creation of a ransomware cartel that included other cybercrime gangs, which teamed up to share resources, leak victims’ data on Maze’s “news” site and extort their victims.

The Conti ransomware gang, which recently launched its own data leak site, is collaborating with Maze. “They’ve published data from a number of Maze attacks,”.

Conti may be a replacement for Ryuk, which has seen a significant dip in activity in recent weeks. It shares some of its code with Ryuk, uses the same note and also the same infrastructure, which could indicate it was created by the Ryuk team or a splinter group.

Recently,researchers came across a leak disclosure post in which Conti ransomware operators claim to have allegedly breached the Volkswagen Group.

The further expansion highlights Maze’s increasing momentum, which has claimed responsibility for several high-profile ransomware attacks in recent months. Earlier this month, a major cyberattack on technology giant Canon was believed to the latest work of the cybercriminal gang.