Site icon Sophos News

Maze ransomware one year on – a SophosLabs report

SophosLabs just published an informative report entitled Maze ransomware: extorting victims for 1 year and counting.
Although this ransomware has existed for more than twelve months, it was originally known simply as ChaCha, after the encryption algorithm it used.
From May 2019, however, the criminals behind it adopted the name “Maze”, and have even come up with their own visual “branding”:

How the Maze virus greets victims on its website.

The criminals even talk to you after scrambling your files – though not in their own voices, of course – and call you by your username to make sure you know that they expect to be paid:
https://news.sophos.com/wp-content/uploads/2020/05/demand.mp3?_=1

Listen to the audio message that plays after a Maze attack

Sadly, Maze has been in the news quite frequently in recent months, notably because the gang who created it have been in the vanguard of a new wave of “double-whammy” ransomware attacks.
The crooks confront you with not one but two reasons to pay the extortion money:

The early days of ransomware

When ransomware first appeared, way back in 1989, home internet access was essentially unheard of, so the perpetrator of the infamous AIDS Information Trojan had to rely on mailing out floppy diskettes.
These were sent out in real envelopes, with real postage stamps, to tens of thousands of physical addresses around the world.
Encryption was therefore a shortcut that avoided the need to take copies of the victims’ files first in order to hold them to ransom – the files were essentially “kidnapped in place”, meaning that no active connection to any network was needed to commit the crime.
In the 2010s, the first wave of modern file-locking ransomware families such as CryptoLocker, Locky and Teslacrypt followed a similar approach.
Even though the malware was now delivered via the internet, typically via high-volume spam campaigns, the criminals stuck to scrambling files in place before demanding payment.
They aimed to ensnare many thousands of victims at the same time, each of whom would be on the hook for a fee that typically hovered around $300.
Uploading hundreds or thousands of megabytes from tens of thousands of computers would have been a logistical nightmare for the crooks, especially given that the upload speed of a typical home internet connection back then was no more than 1 mbit/sec.
In fact, the crooks didn’t need to upload anything at all, not even the randomly generated encryption key they’d used on each computer they attacked.
All they needed to do was to display the secret decryption key to the victim, after encrypting it with a public encryption key for which the crooks alone possessed the matching private key.

Public-key cryptography uses different keys for locking and unlocking data, and you can’t work backwards from the public key to recover the private key. So the crooks could embed the public key right in their ransomware program, as long as they kept the private key to themselves.

The game has changed

As SophosLabs explains in the new report, the Maze crew was one of the first ransomware gangs out there to turn to a combination of blackmail and extortion, demanding that victims pay what is effectively hush money as well as a kidnap ransom.
In fact, the gang has even set up two different parts of its website: one part where victims go to pay up, and a second where the gang itself does public “press releases” to name and shame victims who refused to co-operate.
The hush money page includes a confronting warning that says:

[I]f you were locked and are trying to ignore it, you should know that:
– All the information about security breach will be released to public
– Commercially valuable information will be sold on dark market
– All the breach information will be sent to Mass Media
– All the stock exchanges you are listed at will be notified that you were hacked, locked and lost sensitive information
– We will use the information gotten to attack your clients and partners. We will also notify them about the source of information

With modern ransomware attacks typically targeting one organisation at a time, and with the Maze crew reportedly going after ransom payments running into hundreds of bitcoins, which comes out at millions of dollars, you can see why these crooks are willing to take time to steal victims’ data first.

What to do?

Given that ransomware crooks are no longer just keeping you away from your data but also threatening to put the rest of the world in touch with it, prevention is very much better than cure.
Our tops tips are:


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Exit mobile version