Maze ransomware one year on – a SophosLabs report

SophosLabs just published an informative report entitled Maze ransomware: extorting victims for 1 year and counting.

Although this ransomware has existed for more than twelve months, it was originally known simply as ChaCha, after the encryption algorithm it used.

From May 2019, however, the criminals behind it adopted the name “Maze”, and have even come up with their own visual “branding”:

How the Maze virus greets victims on its website.

The criminals even talk to you after scrambling your files – though not in their own voices, of course – and call you by your username to make sure you know that they expect to be paid:

Listen to the audio message that plays after a Maze attack

Sadly, Maze has been in the news quite frequently in recent months, notably because the gang who created it have been in the vanguard of a new wave of “double-whammy” ransomware attacks.

The crooks confront you with not one but two reasons to pay the extortion money:

  • Pay up to get the decryption key to recover your precious files, which we scrambled with the malware.
  • Pay up to stop us releasing your precious files, which we took copies of before we scrambled them.

The early days of ransomware

When ransomware first appeared, way back in 1989, home internet access was essentially unheard of, so the perpetrator of the infamous AIDS Information Trojan had to rely on mailing out floppy diskettes.

These were sent out in real envelopes, with real postage stamps, to tens of thousands of physical addresses around the world.

Encryption was therefore a shortcut that avoided the need to take copies of the victims’ files first in order to hold them to ransom – the files were essentially “kidnapped in place”, meaning that no active connection to any network was needed to commit the crime.

In the 2010s, the first wave of modern file-locking ransomware families such as CryptoLocker, Locky and Teslacrypt followed a similar approach.

Even though the malware was now delivered via the internet, typically via high-volume spam campaigns, the criminals stuck to scrambling files in place before demanding payment.

They aimed to ensnare many thousands of victims at the same time, each of whom would be on the hook for a fee that typically hovered around $300.

Uploading hundreds or thousands of megabytes from tens of thousands of computers would have been a logistical nightmare for the crooks, especially given that the upload speed of a typical home internet connection back then was no more than 1 mbit/sec.

In fact, the crooks didn’t need to upload anything at all, not even the randomly generated encryption key they’d used on each computer they attacked.

All they needed to do was to display the secret decryption key to the victim, after encrypting it with a public encryption key for which the crooks alone possessed the matching private key.

Public-key cryptography uses different keys for locking and unlocking data, and you can’t work backwards from the public key to recover the private key. So the crooks could embed the public key right in their ransomware program, as long as they kept the private key to themselves.

The game has changed

As SophosLabs explains in the new report, the Maze crew was one of the first ransomware gangs out there to turn to a combination of blackmail and extortion, demanding that victims pay what is effectively hush money as well as a kidnap ransom.

In fact, the gang has even set up two different parts of its website: one part where victims go to pay up, and a second where the gang itself does public “press releases” to name and shame victims who refused to co-operate.

The hush money page includes a confronting warning that says:

[I]f you were locked and are trying to ignore it, you should know that:

– All the information about security breach will be released to public
– Commercially valuable information will be sold on dark market
– All the breach information will be sent to Mass Media
– All the stock exchanges you are listed at will be notified that you were hacked, locked and lost sensitive information
– We will use the information gotten to attack your clients and partners. We will also notify them about the source of information

With modern ransomware attacks typically targeting one organisation at a time, and with the Maze crew reportedly going after ransom payments running into hundreds of bitcoins, which comes out at millions of dollars, you can see why these crooks are willing to take time to steal victims’ data first.

What to do?

Given that ransomware crooks are no longer just keeping you away from your data but also threatening to put the rest of the world in touch with it, prevention is very much better than cure.

Our tops tips are:

  • Patch early, patch often. Crooks who pull off all-your-network-at-once attacks can afford to spend time probing for any existing holes they know about. Make it harder for them by patching known bugs as soon as you can.
  • Check that you don’t have unexpected ways into your network. It’s OK to use technologies such as RDP and SSH for remote administration – just make sure your only remote login portals are where you expect them to be and are set up as you intended, for example within a VPN (virtual private network).
  • Watch your logs. Ransomware attacks that steal masses of data first, and where the crooks carefully learn their way around your network, very often leave telltale signs that someone is hanging around where they shouldn’t be.
  • Set up an early-warning email address for staff. Crooks often use phishing emails to dig for passwords or data they arent’t supposed to have in order to find their way in. The crooks very rarely send emails to a single person in an organisation, so one alert staffer who raises the alarm could warn 50 colleagues who might otherwise be in harm’s way.
  • Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.