Threat Brief: Maze Ransomware Activities

By and

Category: Unit 42

Tags: , , , ,

This post is also available in: 日本語 (Japanese)

Executive Summary

Since the beginning of the calendar year, Palo Alto Networks has detected an uptick in Maze ransomware samples across multiple industries. As a result, we’ve created this general threat assessment post on the Maze ransomware activities and full visualization of these techniques can be viewed in the Unit 42 Playbook Viewer.

Maze ransomware, a variant of ChaCha ransomware, was first observed in May 2019 and has targeted organizations in North America, South America, Europe, Asia, and Australia. This ransomware is typically distributed via emails containing weaponized Word or Excel attachments. However, it has also been distributed via exploit kits such as the Spelevo Exploit Kit, which has been used with Flash Player vulnerabilities CVE-2018-15982 and CVE-2018-4878. Maze ransomware has also utilized exploits CVE-2019-11510 (Pulse VPN), as well as CVE-2018-8174 (Internet Explorer) to get into a network. The malware first establishes a foothold within the environment. It then obtains elevated privileges, conducts lateral movement, and begins file encryption across all drives. However, before encrypting the data, these operators may exfiltrate the files to be used for further coercion, including public exposure. Without the proper protections in place, a Maze ransomware infection will cripple normal business operations, and sensitive information will be compromised, resulting in a monetary loss.

Maze has not only been observed globally, but also affecting varying industries, which include: finance, technology, telecommunications, healthcare, government, construction, hospitality, media and communications, utilities and energy, pharma and life sciences, education, insurance, wholesale, and legal. On March 26, 2020, McAfee published a report providing a detailed overview of the Maze ransomware.

Palo Alto Networks Cortex XDR contains an Anti-Ransomware Protection module, which targets encryption-based activities associated with ransomware. Customers can also review activity associated with this Threat Brief via AutoFocus.

Impact Assessment

Several adversarial techniques were observed in this activity.

The following measures are suggested within Palo Alto Networks products and services for Maze ransomware:

Tactic Technique (Mitre ATT&CK ID) Product/Service Course of Action
Initial Access External Remote Services
(T1133)
NGFW Configure Interfaces and Zone segmentation
Threat Prevention Deploy Vulnerability Protection Profile  for all low and high severity threats with block action
Cortex XDR Configure Host Firewall Profile
Initial Access Spear-Phishing Attachment (T1193) NGFW Configure a File Blocking Profile 
Threat Prevention Enable Anti-Virus profile with reset-both action
WildFire Forward files for WildFire Analysis
Cortex XDR Configure Malware Security Profile 
Initial Access Drive-by Compromise
(T1189)
NGFW Block all unknown and unauthorized applications
Threat Prevention Deploy Vulnerability Protection Profile for all low and high severity threats with block action
DNS Security Enable DNS Security in Anti-Spyware profile
URL Filtering Control web access based on URL Category
WildFire Forward Files for WildFire Analysis
Initial Access Trusted Relationship (T1199) NGFW Configure Interfaces and Zones segmentation
Initial Access
Privilege Escalation
Persistence
Defense Evasion
Valid Accounts (T1078) NGFW Configure Multi-Factor Authentication
Threat Prevention Enable Credential Phishing protection
Cortex XSOAR Deploy Cortex XSOAR Playbook – Access Investigation
Execution Defense Evasion Scripting
(T1064)
WildFire Forward Files for WildFire Analysis
Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
Execution Powershell (T1086) Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
Execution Command-Line Interface (T1059) Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
Execution Service Execution (T1035) Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Persistence Modify Existing Service (T1031) Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Persistence Registry Run Keys / Startup Folder (T1060) Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Persistence New Service (T1050) Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Privilege Escalation Exploitation for Privilege Escalation (T1068) Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
Defense Evasion NTFS File Attributes (T1096) NGFW Block all unknown and unauthorized applications
WildFire Forward files for WildFire Analysis
Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Defense Evasion Obfuscated Files or Information
(T1027)
WildFire Forward files for WildFire Analysis
Cortex XDR Enable Anti-Exploit and Anti-Malware Protection
Defense Evasion Disabling Security Tools (T1089) Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Credential Access Brute Force
(T1110)
NGFW Create a rule to modify the default action for all signatures in the brute force category to block-ip address action
Credential Access Credential Dumping (T1003) Cortex XDR Cortex XDR monitors for behavioral events and files associated with credential access and exfiltration
Lateral Movement Remote Desktop Protocol (T1076) NGFW Configure Multi Factor Authentication,Create User Group for Limited Access to Allow List Applications,Configure Interfaces and Zones segmentation
Cortex XDR Configure Host Firewall Profile
Collection Data from Local System (T1005) Cortex XDR Cortex XDR monitors for behavioral events and files associated with collection activities
Command and Control Standard Application Layer Protocol
(T1071)
NGFW Block all unknown and unauthorized applications
DNS Security Deploy Anti-Spyware profiles with block action
Cortex XDR Cortex XDR monitors for behavioral events indicative of command and control activity
Command and Control  Remote File Copy (T1105) NGFW Block all unknown and unauthorized applications
WildFire Forward files for WildFire Analysis
Cortex XDR Cortex XDR monitors for behavioral events associated with file creation, staging, and exfiltration
Command and Control Standard Cryptographic Protocol (T1032) NGFW Block all unknown and unauthorized applications, Enable SSL decryption
DNS Security Enable DNS Security in Anti-Spyware profile
WildFire Forward SSL decrypted files to WildFire
Discovery File and Directory Discovery (T1083) Cortex XDR Cortex XDR monitors for behavioral events along a causality chain to identify discovery behaviors
Discovery Network Share Discovery (T1135) Cortex XDR Cortex XDR monitors for behavioral events along a causality chain to identify discovery behaviors
Discovery Process Discovery (T1057) Cortex XDR Cortex XDR monitors for behavioral events along a causality chain to identify discovery behaviors
Discovery Software Discovery (T1518) Cortex XDR Cortex XDR monitors for behavioral events along a causality chain to identify discovery behaviors
Discovery System Information Discovery (T1082) Cortex XDR Cortex XDR monitors for behavioral events along a causality chain to identify discovery behaviors
Exfiltration Data Encrypted
(T1022)
Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
Exfiltration Exfiltration Over Alternative Protocol (T1048) NGFW

 

Block all unknown and unauthorized applications.
profile
DNS Security Enable DNS Security in Anti-Spyware 
Exfiltration Exfiltration Over Command and Control (T1041) NGFW  Block all unknown and unauthorized applications
DNS Security Enable DNS Security in the Anti-Spyware profile
Threat Prevention Enable Anti-Spyware Profile with Block Action
Impact Data Encrypted for Impact (T1486) Cortex XSOAR Deploy Cortex XSOAR Playbook – Ransomware Manual for incident response

Table 1. Course of Action for Maze Ransomware
These capabilities are part of the NGFW security subscriptions service

Recently, malicious operators behind the Maze ransomware activities compromised multiple IT service providers. These operators were also able to establish a foothold within another victim’s network through insecure Remote Desktop Protocol and other remote service connections or by brute-forcing the local administrator account. Organizations should be mindful of potential compromises through third-party sources and ensure strong passwords are used for all systems capable of remote access.

It was also reported that Maze operators pay special attention to cloud backups on the compromised network. If the operators were to obtain login credentials, they are then able to download all backup data to an actor controlled server. Organizations should ensure that all cloud backup files are properly stored and protected.

Threat Education

What is Ransomware?

Ransomware is a criminal business model that uses malicious software to hold valuable files and other data for ransom. Victims of ransomware attacks may have their operations degraded or shut down entirely.

For additional details on a What is Ransomware?, visit the Palo Alto Networks Cyberpedia:
https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware

Palo Alto Networks customers can review activity associated with this Threat Brief via AutoFocus using the following tag: Maze, SpelevoEKFlashContainer

Palo Alto Networks Cortex XDR contains an Anti-Ransomware Protection module. This module targets encryption-based activity associated with ransomware. Cortex XDR contains defined behavioral indicators of compromise designed to detect anomalies within your network.

References

https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf
https://www.docdroid.net/dUpPY5s/maze-pdf#page=2

The suggested courses of action in this report are based on the information currently available to Palo Alto Networks and the capabilities within Palo Alto Networks products and services.