Ransomeware: Maze
Last updated
Last updated
Attackers use Maze ransomware to encrypt organizations' files and issue ransom demands in return for the decryption keys. In this lab, you’ll observe how attackers execute the Maze ransomware strain. You’ll then perform static, dynamic, and log analysis tasks to extract indicators of compromise from the malware and its behavior.
Maze operates under an affiliate model, commonly referred to as ransomware as a service. The affiliates have used several distribution methods to target their victims. Attacks can be either targeted or indiscriminate, depending on the affiliate.
Initially, the primary method of malware delivery was web exploit kits implanted in legitimate websites.
More recently, Office documents with macros have been used to deliver and install the ransomware on victim machines. These tend to use standard phishing themes: tax, invoice, deliveries, and trending news stories.
Throughout the campaigns, email has been used to deliver infected documents or links to compromised websites. These emails match the themes used for the malicious attachments.
Like most modern malware, Maze has a "secure" implementation – meaning when files are encrypted, they can't be decrypted again unless the ransom is paid and the attacker sends over the recovery key.
The encryption uses a combination of ChaCha and RSA-2048 on all but essential operating system files. The ransomware will also target all drives on the infected machine, including USB drives and shared network drives.
It doesn't have the ability to self-replicate across networks, but in the event of manual exploitation, it's possible the operator could reach multiple hosts.
Maze operators run an interactive website with live help; this website can be accessed via the dark web or a standard internet browser. It has the ability to prove they can decrypt files with a free test.
As with most ransomware operators, there's been a shift to post-compromise deployment of the ransomware. This shift enables operators to exfiltrate stolen documents that can be used as leverage when attempting to force a ransom payment.
This technique is not new to Maze and has been observed by other malware families.
When ransomware is executed on a host with logging enabled, several key indicators can reveal when ransomware is running. This lab uses a custom Sysmon configuration to only filter specific events.
Useful Sysmon event logs to search for include:
Event ID 1: Process creation
Event ID 11: FileCreate
Event ID 23: FileDelete
Additional common indicators can include commands used to delete backup files or volume shadows.
With a set of known behaviors, you can create Sigma rules to aid investigations. Below is an example Sigma rule that detects shadow copies being deleted.
I have access to a compromised Windows machine, event logs, and the ransomware sample that's been executed.
I’ll need to observe the initial execution of the Maze ransomware strain and perform static, dynamic, and log analysis tasks to extract indicators of compromise (IoCs) from the malware and its behaviour.
Using Splunk to find what standard windows management tool does Maze run after being executed and what arguments are supplied to the executable
Now conduct analysis in Ghidra
Using Ghidra to find the name of the imported DLL that exposes the cryptographic functionality. Within the imports the Crypto folder gave it away.
Using Ghidra to identify the memory address of the ‘entry’ function
Using defined strings to find the memory address of the ransomware note
