Rising Prominence of Maze Ransomware

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.

Through late last year, threat actors operating the MAZE ransomware launched multiple campaigns, targeting many organisations across industry sectors including manufacturing, finance, healthcare, information technology (IT), and government. Like other ransomware strains, it encrypts files in an infected system, and demands a ransom from its victims to recover these files. However, what sets it apart from other run-of-the-mill ransomware attack has been its ‘novel’ extortion tactics to also steal victims’ data and threaten to publicly release them unless the ransom is paid. As MAZE ransomware operates under an affiliate model*, and is distributed by multiple threat actors, it is able to expand its operations widely across different geographical regions and industry sectors.* An affiliate model is a business model where ransomware developers would partner with other threat actor groups who are responsible for distributing the malware.

This issue of CyberSense delves deeper into the tactics that MAZE ransomware group utilise, and how it has cemented its status as one of the more successful ransomware strain in recent times.

THEMED LURES IN PHISHING CAMPAIGNS

Similar to other sophisticated threat actors operating ransomware, the operators behind MAZE ransomware have used themed lures effectively in their campaigns. A massive spam campaign was observed during late 2019 where organisations within Germany, Italy and the United States received phishing e-mails using tax, invoice and package delivery themes to lure victims into clicking into these malicious e-mails. These e-mails impersonated government authorities, like Germany’s Ministry of Finance and Italy’s Internal Revenue Service. Lure content included messages that required recipients to urgently follow-up on an action, such as viewing an invoice, rescheduling a delivery timing, or instructions to avoid being investigated for tax fraud.^[1]

MOVE TOWARDS POST-COMPROMISE DISTRIBUTION ATTACKS

MAZE ransomware operators have been observed to be highly adept at switching up tactics and its distribution techniques. The actors shifted from leveraging its traditional “shotgun” indiscriminate approach, whereby malware is distributed in largely opportunistic attacks to a wide variety of victims, to post-compromise distribution techniques. The latter technique focus on gaining privileged access to a victim’s network, with the objective of identifying critical systems and stealing valuable data, such as sensitive personal information, before deploying ransomware on the targeted machines. With this approach, the actor can also disable the security mechanisms used to detect ransomware, thus increasing their success of the cyber-attack.^[2]

NOTABLE VICTIMS

Organisations within the healthcare sector have become of critical importance amid COVID-19, as disruption of its operations could result in life-or-death situations. Disruptions for organisations within the IT sector can also have far-reaching downstream consequences for its clients, making them ideal candidates for MAZE ransomware groups to target. The following examples highlight notable victims in the above-mentioned sectors of MAZE ransomware since late 2019:

HEALTHCARE SECTOR: HAMMERSMITH MEDICINE RESEARCH

Hammersmith Medicines Research (HMR) is a London-based healthcare provider that was working with the British government to test Covid-19 vaccines. In March 2020, MAZE ransomware group published HMR’s medical files online, containing more than 2,300 of patients’ personal information, although they were records dating back 8 to 20 years. The data was leaked by the cyber-crime group to pressure HMR in paying the ransom demand. Fortunately for HMR, they resisted paying the ransom, and were able to repel the attack at an early stage, managing to restore its system on the same day.^[3]

IT SECTOR: COGNIZANT

Cognizant is an American multinational corporation which specialises in providing IT services to various companies around the world, including Singapore. In April 2020, Cognizant confirmed that they have been targeted by MAZE ransomware, which reportedly caused daily operation disruption within the company, and service disruptions for its clients.^[4] As Cognizant is a large multinational company with wide global footprints, its clients have been on high-alert following this report. This highlights the importance for organisations to adopt sound cybersecurity practices and processes to better manage their suppliers to defend effectively against supply-chain attacks.

NOT THE ONLY RANSOMWARE WE SHOULD BE WORRIED ABOUT

Worryingly, MAZE ransomware is not the only malware that has come under the radar for its notoriety. As ransomware groups become privy to MAZE ransomware’s “hack, leak and shame” tactics, 12 such ransomware gangs such as Sodinokibi and DoppelPaymer have since set up their own shaming websites to pressure victims into paying up the ransoms^[5][6]. Other notable ransomware such as Ryuk and MegaCortex specifically target enterprise environments, and have cost victims across various industries millions of dollars in damage. Although Ryuk and MegaCortex do not utilise the aforementioned “hack and leak” tactics, they do also focus on post-compromise distribution for more effective reconnaissance and deployment of malware, and utilise smart phishing tactics such as themed lures to trick victims into opening malicious attachments. Ryuk ransomware, in particular, is observed to have partnered with other threat actor groups such as Emotet malware for delivery of its payloads. These ransomware groups tend to gravitate toward “big-game hunting”, targeting organisations with highly valued assets or data, in the hopes of getting a bigger payout. In an increasingly connected global supply chain, large upstream organisations are targeted with significant knock-on effects for affected clients, such as in the case of MAZE ransomware on Cognizant. With the average ransom payment almost doubling to $111,605 in Q1 2020 compared to the same period last year, financially motivated threat actors are expected to continue to leverage ransomware as a means to further their objectives.^[7]

REFERENCES:

[1] https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html

[2]https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html

[3]https://www.teiss.co.uk/hackers-target-uk-medical-research-firm/

[4]https://www.crn.com/news/channel-programs/cognizant-contains-maze-ransomware-attack-as-cleanup-costs-spiral

[5]https://www.zdnet.com/article/michigan-state-university-hit-by-ransomware-gang/

[6]https://www.zdnet.com/article/heres-a-list-of-all-the-ransomware-gangs-who-will-steal-and-leak-your-data-if-you-dont-pay/

[7] https://www.coveware.com/blog/q1-2020-ransomware-marketplace-report