Maze — the file-encrypting virus that keeps copies of stolen data from its corporate victims for blackmail
Contents
Maze ransomware virus has been first spotted in late May 2019. Previously, it was known as ChaCha ransomware and since then it has been active in cyberspace for over a year now. This particular cyber threat started to target large scale businesses and keeps the copies of stolen data on remote servers. Such a technique allows the attackers to threaten their victims to expose private information if they refuse to pay the ransom. Security researchers have observed Sodinokibi Ransomware Virus using the same blackmailing method.
What is Maze ransomware?
Maze is a ransomware-type infection that uses cryptographic algorithms to encrypt information on the affected system. It employs symmetric ChaCha (based on Salsa20) and asymmetric RSA-2048 algorithms for protection and data encryption. In other terms, victims are unable to open or use any important data on the infected computer and on others that are connected through the intranet.
Usually, almost all files with the most widely used extensions, such as .doc or .jpg are encrypted and no longer accessible to the users. However, this ransomware avoids files with .lnk, .exe, .sys, and .dll extensions. Also, it avoids modifying the following folders: Games, ProgramData, Low\Content.IE5, All Users, AppData\Local, Windows main directory, Tor Browser, cache2\entries, User Data\Default\Cache, Local Settings, and Program Files.
Furthermore, Maze malware does not encrypt files marked with .inf, .ini, .db, .dat.log, .bin, .dat, .bak extensions and DECRYPT-FILES.txt ransom note. Although, it does crypt ntuser.ini file to stop other ransomware from encrypting it. This particular file is used to create and drop the ransom note in every folder that it can. Finally, after the encryption is done, this cyber threat changes the desktop wallpaper to inform victims about the attack and urges to follow the instructions on the ransom note file.
Criminals behind the malware have their own website
The ransom note by this malware contains two links — URL address to the payment page that should be accessed via the Tor Browser and another address to the website owned by Maze developers. Attackers specify that victims should first try to open the payment site. In case they are unable to do so, they can visit an official website created by cybercriminals for further instructions.
The indicated page for payments uses a unique victim’s ID to generate the amount of money that should be transferred to the attackers. Criminals demand to pay for example $300 in Bitcoins and give a 50% discount if the victim pays up within the first 7 days of the attack. Security researchers note that the price can differ on a case-by-case basis. Also, they offer 3 test decrypts up to 2 MB for proof.
Analyzing further, the official Maze support system website is specified to be used only if the victim cannot reach the payment page. In this website, criminals ask to upload the victim’s DECRYPT-FILES.txt file to tie it to the unique ID and collect the payment. They discourage users from waiting for verified Maze decryption tools since it would supposedly take ages to crack the algorithm.
Finally, the developers of malware use another page to expose the names of their victims that refused to pay the ransom. Since many large scale businesses try to hide security breaches, the attackers aim to expose that. They indicate the date of the infection and offers to download stolen data as evidence of the breach. People are encouraged to share this information via social media link buttons.
How much data is stolen during the attack?
Security researchers cannot indicate the exact amount of information that is stolen during the breach. Although, cybercriminals claim that they usually collect over 100 GB of data from the single victim. Sometimes they are lucky enough to even get 1 TB of commercial and private documents. Attackers specify that they search for data marked with non-disclosure agreements (NDA) in order to use it as a base for a lawsuit against the victimized company. Thus, Maze ransomware removal might not help to fix the damage.
Corporations are threatened since not paying the ransom is stated to lead to a release of public data of the breach to the media, an upload of stolen data on the darknet for sell, informing the stock exchanges about the sensitive data leak, usage of the stolen data to attack company partners and clients. This is the reason why Maze ransomware virus is so successful and generates enormous profits from various well-known companies, including IT services giant Cognizant, UK medical firm Hammersmith Medicines Research (HMR), security staffing company Allied Universal, and others.
Should the firm pay the ransom?
This is probably one of the hardest decisions that the victimized firm could make. Everyone should bear in mind that if companies keep paying up to the criminals, they will only be encouraged to launch similar ransomware attacks in the future. Monetary benefits gained from the infections act as a very strong motivator for the attackers. Therefore, paying the ransom starts a never-ending circle of ransomware attacks for all types of businesses and even individual computer users.
However, your company has to weight all the potential consequences of sensitive information loss and exposure. If the board agrees that keeping private data from the public is crucial, you might need to follow the demands of the cybercriminals. Although, it is essential to investigate how did the brach happen and find all loopholes to patch them. Many large scale businesses have their own IT security departments and install various professional security tools to protect the systems and train their employees. For example, some ransomware-type threats can be eliminated with tools like INTEGO.
Ransomware Summary
| Name | Maze |
| Type | Ransomware, File-encrypting virus, Crypto-malware, File locker |
| Previously known as | ChaCha ransomware |
| Release | May 29th, 2019 |
| OS affected | Windows operating systems |
| Targets | Large scale corporations |
| Similar threats | Sodinokibi ransomware virus |
| Algorithm used | ChaCha20 (based on Salsa20) and RSA-2048 |
| Ransom note | DECRYPT-FILES.txt |
| Symptoms | It encrypts the most valuable information on the system and then extracts it on a remote server; Later, the stolen files are used for blackmail to receive the ransom payment |
| Amount of data stolen | From 100 GB up to 1 TB |
| Avoided extensions and folders | Extensions: .lnk, .exe, .sys, .dll, .inf, .ini, .db, .dat.log, .bin, .dat, .bak; Folders: Games, ProgramData, Low\Content.IE5, All Users, AppData\Local, Windows main directory, Tor Browser, cache2\entries, User Data\Default\Cache, Local Settings, Program Files. |
| Spread | unpatched vulnerabilities, weak passwords on remote desktop connections, malicious spam e-mail campaigns |
| Decryption | Firms can get back access to their files by using the latest backups; although, then criminals claim to expose sensitive information stolen from the company |
| Removal | Most ransomware-type infections cannot be eliminated manually. Usually, people install robust malware removal tools, like INTEGO or others |
How did my company get infected with ransomware?
Usually, developers of file-encrypting viruses that target business giants try to use unpatched vulnerabilities on firms’ computers, brute force weak passwords on remote desktop connections, or release widely employed malicious spam e-mail campaigns. These are the most common Maze virus distribution tactics that lead to successful ransomware infiltrations.
Although, employees should bear in mind that the firm can get infected by a partner company or clients whose computers were attacked by this cyber threat prior. This is a less known spread technique since not many file-encrypting viruses use infected devices to further spread the infection. Everyone within the firm should be very careful.
What are the ways to protect the company from crypto-malware attacks?
Firstly, it is essential for the IT department to update all systems within the organizations with the latest patches for discovered vulnerabilities. Also, the security team should run regular system check-ups for various minor computer infections, such as potentially unwanted programs (PUPs) since they might help infiltrate ransomware-type viruses.
Secondly, every member of the company should be aware that passwords must be unique, contain various numbers, characters, and symbols so that they would be very hard to crack. None of the staff should use the same password on multiple accounts or systems as it puts all firm’s security at risk. Additionally, it is wise to enable two-factor authentication (2FA) where possible.
Furthermore, the company should not keep making offsite backup copies of their data regularly but also encrypt it for safety. If you cannot encrypt some documents for certain reasons, at least encode the most valuable information that could be used against the company’s interests and lead to damaging consequences.
Finally, the employees should receive regular training on how to spot malicious spam e-mails or infected links and work with electronic devices safely. In most cases, ransomware infiltration is caused by the human factor that cannot be eliminated even with the most powerful security tools. Thus, train your staff to avoid such cyber attacks.
Will Maze virus removal help to protect and decrypt data?
Unfortunately, if you remove Maze ransomware virus, the attackers will still be ahold of your firm’s sensitive data. During the attack, cybercriminals extract the most valuable documents on the remote server that only they have access to. Therefore, malware elimination will not help to take back the stolen data from the crooks.
Additionally, Maze removal will not restore the encrypted data to the primary state. For that, you must either have a unique decryption tool or restore your files using the latest backup copy on the Cloud.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
ransomware Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Scott Bolton is a senior content strategist in our Geek’s Advice team. He is exceptionally passionate about covering the latest information technology themes and inspire other team members to follow new innovations. Despite the fact that Scott is an old-timer among the Geeks, he still enjoys writing comprehensive articles about exciting cybersecurity news or quick tutorials.
Leave a Reply