Threat Intelligence: Maze Ransomware Variant
While ransomware variants like GandCrab, Ryuk, and WannaCry have received a lot of attention and cost their victims significant amounts of money, these attacks are rarely accompanied by a credible threat to expose sensitive data. These threat actors are able to monetize their attacks with the extortion payments alone. However, a variant known as Maze (or ChaCha) could change that equation.
Maze is a newer variant appearing more frequently in mid-to-late 2019. The threat actors deploying Maze are characterized as more aggressive than their peers as evidenced by their multimillion-dollar demands. In November 2019, after a $2.3 million demand went unpaid, the threat actor group released a sampling of data stolen from a victim, a company with billions of dollars in yearly revenue. The leaked data is allegedly only 10% of the data that was stolen, and included sensitive employee and business information.
While Maze was originally thought to be targeting Italian businesses, there have been several confirmed Maze infections in the United States in the past few weeks. Phishing campaigns have been the vectors of attack for recent incidents.
There are several essential preventative steps all businesses should deploy as soon as possible to prevent and mitigate such attacks:
- Train users for phishing recognition and reporting;
- Deploy endpoint monitoring tools;
- Implement network segmentation of essential resources;
- Ensure backups, including air-gapped backups, are made on a weekly basis;
- Inventory, restrict, and secure RDP and RMM solutions; and
- Deploy multi-factor authentication throughout the environment.
Knowing no amount of preventative technology and training can guarantee that an incident will not happen, every entity must have a well-crafted incident response plan. If you do not have an incident response plan in place, here is a rough check list of preparation steps that you can take:
- Identify the response team leader(s). In the event of a data security incident, your response team leader(s) will coordinate all of the components of your response, including informing the various decision makers, notifying your cyber insurance carrier, engaging legal counsel, triggering the response team actions, scoping the situation, working with a digital forensics team, and keeping everyone updated.
- Create an out-of-band communications channel. Make sure that you have a way to contact decision makers, employees, and external entities such as vendors and customers if your email and phones are down.
- Know the resources your cyber insurance carrier has available for you. This includes how to give notice of the event to your carrier. Do not be afraid of your carrier! Events like ransomware attacks are why you paid the premiums in the first place! Many carriers provide the assistance of skilled legal counsel and forensics teams who can lead you step-by-step through the whole process, even if you do no planning at all (not recommended).
- Deploy a system for creating backups, checking backups, and restoring backups. This includes backups of all vital applications and data. Consider how licensed software will be restored or recreated. Consider not only frequency of regular backup creation and validation, but also air gapped backups. It is also important to consider how you will answer this question: how long until we are operational again? Remember, every hour that your company is down will be an hour of frustration, anxiety, upset customers, and lost revenue.
- Know what high-value data is maintained by your business. This includes sensitive client or customer information, sensitive employee information, and sensitive business data. In the case of a data security incident, it will be important to identify the location of this data to assist in swiftly determining whether theft of any data took place.
- Deploy preventive cybersecurity resources. This can range from an anti-malware solution that includes endpoint or heuristic monitoring in addition to the traditional anti-virus suite which only looks at known malware signatures, to a comprehensive information security program mapped to the National Institute of Standards and Technology (NIST) family of controls or the ISO 27002 standard.
- Educate your personnel. Good password hygiene, how to spot phishing, and basic physical access controls are not just the stuff of tech blogs; they are entirely essential to modern life.
For a more in-depth discussion about preparing for and responding to ransomware events in general, check out our post from January 3, “Ransomware: Recommendations for Preparation and Response."