Maze ransomware is becoming a significant factor in healthcare attacks, and it’s gotten to the point that Interpol has issued a warning to providers across the world. Ransomware is nothing new, but it continues to evolve and adapt to new opportunities and security improvements.
Maze ransomware was previously known as ChaCha ransomware, and it was first observed in May 2019. By November 2019, Maze had become more aggressive and evolved into a three-pronged attack: Exfiltrate, encrypt, and extort. There are multiple steps in this attack:
- Data exfiltration — Upon gaining access to the computer, the attack exports data so that it will be available for the final stage of the attack.
- Backup deletion — Ransomware is executed and begins to delete backups and shadow copies, and then scan for certain types of file extensions to encrypt.
- Encryption — Maze will encrypt the files with the ChaCha algorithm, and then re-encrypt the ChaCha keys with RSA-248. Each encrypted file will be renamed with a random extension.
- Ransom demand — Once the files are encrypted, Maze will create a ransom note named DECRYPT-FILES.txt in each of the affected directories. This file provides instructions and links to tech support to help victims pay the ransom.
- Threat of publication — Victims are advised to pay the ransom or risk having their information published on a public website. The published information could be all of the exfiltrated data or just enough data to prove that the organization was compromised.
One of the largest medical data postings appears to be from New Jersey’s Medical Diagnostics Laboratories (MD Lab) … When MD Lab refused to pay the extortion demand, the hackers went on to publish 9.5 GB of research data in an attempt to force negotiations with the provider. – Source
Like all criminals, Maze attackers cannot be trusted to provide the decryption key or to not publish or sell the exfiltrated data, even if you pay the ransom.
Part of a larger campaign
When it comes to the overall attack, Maze is actually found in the second or third step of a campaign. According to an FBI flash alert, the initial steps in a Maze campaign vary and may include:
- Spear phishing campaigns that trick users into providing credentials or downloading malicious files
- Malicious websites that harvest credentials or install an exploit kit or other malicious files on a victim's machine. These websites may pose as government or COVID-19-related sites.
- Spam campaigns that have infected attachments or contain malicious URLs
Interpol has advised that the Maze attacks on healthcare have only been observed through pandemic-related phishing emails that include a malicious link to the malware in the body of the message or in an attachment.
Recent research has also revealed that cybercriminals still prefer ransomware to other types of crime. The attack surface is much greater now that so many workers have been reassigned to their homes, where they may lack the same level of email protection that they would get in an office.
To protect your organization from ransomware, deploy multiple layers of security to defend all threat vectors and make sure you have comprehensive data protection. Although ransomware attacks can be delivered in several ways, email is the primary vector for this threat. Email protection should include anti-phishing technologies and security awareness training to help end-users recognize these attacks if they get to the inbox.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology and project management credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.