Geek's Advice

Maze — the file-encrypting virus that keeps copies of stolen data from its corporate victims for blackmail

Maze ransomware virus has been first spotted in late May 2019. Previously, it was known as ChaCha ransomware and since then it has been active in cyberspace for over a year now. This particular cyber threat started to target large scale businesses and keeps the copies of stolen data on remote servers. Such a technique allows the attackers to threaten their victims to expose private information if they refuse to pay the ransom. Security researchers have observed Sodinokibi Ransomware Virus using the same blackmailing method.

What is Maze ransomware?

Maze is a ransomware-type infection that uses cryptographic algorithms to encrypt information on the affected system. It employs symmetric ChaCha (based on Salsa20) and asymmetric RSA-2048 algorithms for protection and data encryption. In other terms, victims are unable to open or use any important data on the infected computer and on others that are connected through the intranet.

Usually, almost all files with the most widely used extensions, such as .doc or .jpg are encrypted and no longer accessible to the users. However, this ransomware avoids files with .lnk, .exe, .sys, and .dll extensions. Also, it avoids modifying the following folders: Games, ProgramData, Low\Content.IE5, All Users, AppData\Local, Windows main directory, Tor Browser, cache2\entries, User Data\Default\Cache, Local Settings, and Program Files.

Furthermore, Maze malware does not encrypt files marked with .inf, .ini, .db, .dat.log, .bin, .dat, .bak extensions and DECRYPT-FILES.txt ransom note. Although, it does crypt ntuser.ini file to stop other ransomware from encrypting it. This particular file is used to create and drop the ransom note in every folder that it can. Finally, after the encryption is done, this cyber threat changes the desktop wallpaper to inform victims about the attack and urges to follow the instructions on the ransom note file.

Criminals behind the malware have their own website

The ransom note by this malware contains two links — URL address to the payment page that should be accessed via the Tor Browser and another address to the website owned by Maze developers. Attackers specify that victims should first try to open the payment site. In case they are unable to do so, they can visit an official website created by cybercriminals for further instructions.

The indicated page for payments uses a unique victim’s ID to generate the amount of money that should be transferred to the attackers. Criminals demand to pay for example $300 in Bitcoins and give a 50% discount if the victim pays up within the first 7 days of the attack. Security researchers note that the price can differ on a case-by-case basis. Also, they offer 3 test decrypts up to 2 MB for proof.

Analyzing further, the official Maze support system website is specified to be used only if the victim cannot reach the payment page. In this website, criminals ask to upload the victim’s DECRYPT-FILES.txt file to tie it to the unique ID and collect the payment. They discourage users from waiting for verified Maze decryption tools since it would supposedly take ages to crack the algorithm.

Finally, the developers of malware use another page to expose the names of their victims that refused to pay the ransom. Since many large scale businesses try to hide security breaches, the attackers aim to expose that. They indicate the date of the infection and offers to download stolen data as evidence of the breach. People are encouraged to share this information via social media link buttons.

How much data is stolen during the attack?

Security researchers cannot indicate the exact amount of information that is stolen during the breach. Although, cybercriminals claim that they usually collect over 100 GB of data from the single victim. Sometimes they are lucky enough to even get 1 TB of commercial and private documents. Attackers specify that they search for data marked with non-disclosure agreements (NDA) in order to use it as a base for a lawsuit against the victimized company. Thus, Maze ransomware removal might not help to fix the damage.

Corporations are threatened since not paying the ransom is stated to lead to a release of public data of the breach to the media, an upload of stolen data on the darknet for sell, informing the stock exchanges about the sensitive data leak, usage of the stolen data to attack company partners and clients. This is the reason why Maze ransomware virus is so successful and generates enormous profits from various well-known companies, including IT services giant Cognizant, UK medical firm Hammersmith Medicines Research (HMR), security staffing company Allied Universal, and others.

Should the firm pay the ransom?

This is probably one of the hardest decisions that the victimized firm could make. Everyone should bear in mind that if companies keep paying up to the criminals, they will only be encouraged to launch similar ransomware attacks in the future. Monetary benefits gained from the infections act as a very strong motivator for the attackers. Therefore, paying the ransom starts a never-ending circle of ransomware attacks for all types of businesses and even individual computer users.

However, your company has to weight all the potential consequences of sensitive information loss and exposure. If the board agrees that keeping private data from the public is crucial, you might need to follow the demands of the cybercriminals. Although, it is essential to investigate how did the brach happen and find all loopholes to patch them. Many large scale businesses have their own IT security departments and install various professional security tools to protect the systems and train their employees. For example, some ransomware-type threats can be eliminated with tools like INTEGO.

Ransomware Summary

Name	Maze
Type	Ransomware, File-encrypting virus, Crypto-malware, File locker
Previously known as	ChaCha ransomware
Release	May 29th, 2019
OS affected	Windows operating systems
Targets	Large scale corporations
Similar threats	Sodinokibi ransomware virus
Algorithm used	ChaCha20 (based on Salsa20) and RSA-2048
Ransom note	DECRYPT-FILES.txt
Symptoms	It encrypts the most valuable information on the system and then extracts it on a remote server; Later, the stolen files are used for blackmail to receive the ransom payment
Amount of data stolen	From 100 GB up to 1 TB
Avoided extensions and folders	Extensions: .lnk, .exe, .sys, .dll, .inf, .ini, .db, .dat.log, .bin, .dat, .bak; Folders: Games, ProgramData, Low\Content.IE5, All Users, AppData\Local, Windows main directory, Tor Browser, cache2\entries, User Data\Default\Cache, Local Settings, Program Files.
Spread	unpatched vulnerabilities, weak passwords on remote desktop connections, malicious spam e-mail campaigns
Decryption	Firms can get back access to their files by using the latest backups; although, then criminals claim to expose sensitive information stolen from the company
Removal	Most ransomware-type infections cannot be eliminated manually. Usually, people install robust malware removal tools, like INTEGO or others

How did my company get infected with ransomware?

Usually, developers of file-encrypting viruses that target business giants try to use unpatched vulnerabilities on firms’ computers, brute force weak passwords on remote desktop connections, or release widely employed malicious spam e-mail campaigns. These are the most common Maze virus distribution tactics that lead to successful ransomware infiltrations.

Although, employees should bear in mind that the firm can get infected by a partner company or clients whose computers were attacked by this cyber threat prior. This is a less known spread technique since not many file-encrypting viruses use infected devices to further spread the infection. Everyone within the firm should be very careful.

What are the ways to protect the company from crypto-malware attacks?

Firstly, it is essential for the IT department to update all systems within the organizations with the latest patches for discovered vulnerabilities. Also, the security team should run regular system check-ups for various minor computer infections, such as potentially unwanted programs (PUPs) since they might help infiltrate ransomware-type viruses.

Secondly, every member of the company should be aware that passwords must be unique, contain various numbers, characters, and symbols so that they would be very hard to crack. None of the staff should use the same password on multiple accounts or systems as it puts all firm’s security at risk. Additionally, it is wise to enable two-factor authentication (2FA) where possible.

Furthermore, the company should not keep making offsite backup copies of their data regularly but also encrypt it for safety. If you cannot encrypt some documents for certain reasons, at least encode the most valuable information that could be used against the company’s interests and lead to damaging consequences.

Finally, the employees should receive regular training on how to spot malicious spam e-mails or infected links and work with electronic devices safely. In most cases, ransomware infiltration is caused by the human factor that cannot be eliminated even with the most powerful security tools. Thus, train your staff to avoid such cyber attacks.

Will Maze virus removal help to protect and decrypt data?

Unfortunately, if you remove Maze ransomware virus, the attackers will still be ahold of your firm’s sensitive data. During the attack, cybercriminals extract the most valuable documents on the remote server that only they have access to. Therefore, malware elimination will not help to take back the stolen data from the crooks.

Additionally, Maze removal will not restore the encrypted data to the primary state. For that, you must either have a unique decryption tool or restore your files using the latest backup copy on the Cloud.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

Alternative software recommendations

Malwarebytes Anti-Malware

Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense

If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.