Maze is a particularly sophisticated strain of Windows ransomware that has hit companies and organizations around the world and demanded that a cryptocurrency payment be made in exchange for the safe recovery of encrypted data.
THERE’S BEEN PLENTY OF RANSOMWARE BEFORE. WHAT MAKES MAZE SO SPECIAL?
Like other ransomware seen in the past, Maze can spread across a corporate network, infect computers it finds and encrypts data so it cannot be accessed.
But what makes Maze more dangerous is that it also steals the data it finds and exfiltrates it to servers controlled by malicious hackers who then threaten to release it if a ransom is not paid. Increasingly, other ransomware (such as REvil, also known as Sodinokibi) have been observed using similar tactics.
SO SIMPLY RESTORING FROM A BACKUP..?
…isn’t enough. Yes, restoring your data from a secure backup can get you back up and running again (if the backup hasn’t itself been compromised, of course), but it doesn’t undo the fact that criminals now have a copy of your company’s data.
SO THIS IS A COMBINATION OF A RANSOMWARE ATTACK AND A DATA BREACH?
Yup. And as a website operated by the criminals behind the Maze attacks claims, if the ransom is not paid, they will:
- Release public details of your security breach and inform the media
- Sell stolen information with commercial value on the dark market
- Tell any stock exchanges on which your company might be listed about the hack and the loss of sensitive information
- Use stolen information to attack clients and partners as well as inform them that your company was hacked.
THIS IS MUCH WORSE THAN JUST BEING HIT BY RANSOMWARE
Yes, it is. It appears that Maze ransomware gang is not only capable of writing sophisticated malware. They have also found a very effective way of increasing the pressure on its corporate “clients” to pay up.
One has to assume that the attackers saw that many organizations now have more rigorous backup regimes in place and realized that they needed to up the ante if they were to maximize their potential criminal earnings.
THE MAZE GUYS HAVE A WEBSITE?
Yes, on their website they list their “new clients” (their term for recent corporate victims who have failed to pay up and who might be trying to keep news of their security breach out of the press.)
The website includes details of when victims had their computer systems hit by the Maze ransomware as well as links to downloads of stolen data and documents as “proof.”
There are even convenient buttons on the website to share details of breaches via social media.
WHAT TYPES OF ORGANIZATIONS HAVE BEEN HIT BY MAZE?
Cognizant, the multinational IT services giant, revealed last week that it had been hit by Maze.
Other victims have included medical research organisations, professional security services and law firms.
HOW DOES THE MAZE RANSOMWARE INFECT AN ORGANIZATION IN THE FIRST PLACE?
The attackers use a variety of different techniques to compromise your network. This can include exploitation of known vulnerabilities that have not been patched, remote desktop connections with weak passwords, malicious email attachments and/or links. In some cases, the attack may actually come from a client of yours or partner who has already fallen victim to the hackers.
SO WHAT SHOULD MY COMPANY BE DOING TO PROTECT OURSELVES FROM THE MAZE RANSOMWARE?
You should still be making secure offsite backups. You should still be running up-to-date security solutions and ensuring that your computers are protected with the latest patches against newly-discovered vulnerabilities. You should still be using hard-to-crack, unique passwords to protect sensitive data and accounts as well as enabling multi-factor authentication. You should still be encrypting your sensitive data wherever possible. You should still be educating and informing staff about risks and the methods used by cybercriminals to electronically infiltrate organizations.