Since the beginning of the calendar year, Palo Alto Networks has detected an uptick in Maze ransomware samples across multiple industries. As a result, we’ve created this general threat assessment post on the Maze ransomware activities and a full visualization of these techniques can be viewed in the Unit 42 Playbook Viewer.
Maze ransomware, a variant of ChaCha ransomware, was first observed in May 2019 and has targeted organizations in North America, South America, Europe, Asia, and Australia. This ransomware is typically distributed via emails containing weaponized Word or Excel attachments. However, it has also been distributed via exploit kits such as the Spelevo Exploit Kit, which has been used with Flash Player vulnerabilities CVE-2018-15982 and CVE-2018-4878. Maze ransomware has also utilized exploits CVE-2019-11510 (Pulse VPN), as well as CVE-2018-8174 (Internet Explorer) to get into a network.
The malware first establishes a foothold within the environment. It then obtains elevated privileges, conducts lateral movement, and begins file encryption across all drives. However, before encrypting the data, these operators may exfiltrate the files to be used for further coercion, including public exposure. Without the proper protections in place, a Maze ransomware infection will cripple normal business operations, and sensitive information will be compromised, resulting in a monetary loss.
Source: Palo Alto