Behind the Scenes in a Maze Ransomware Attack

Behind the Scenes in a Maze Ransomware Attack

Maze ransomware is one of the most widespread ransomware strains out there. Although it’s been around for less than two years, there have already been a number of attacks on a variety of businesses. And unlike other forms of ransomware, Maze ransomware involves damaging a company’s reputation, not just stealing their data. This makes it especially dangerous.

In August, SentinelOne shared their findings from a case study involving criminals who developed tailor-made persistence methods prior to the attack. Luckily, SentinelOne was able to catch and stop the attackers before the ransomware could spread to the client’s entire network.

In this post, we’ll go behind the scenes to share details about the methods used in this attack. By learning more about cybercriminals’ behavior, you can better prepare to defend your own organization against these kinds of attacks.

What is Maze Ransomware?

Maze is a sophisticated strain of Windows ransomware that encrypts data and demands a cryptocurrency payment before the data will be recovered. Like other forms of ransomware, Maze can spread across an entire network, infecting computers and encrypting data as it goes.

But what makes Maze ransomware especially dangerous is that it also steals the data it finds and delivers it to servers controlled by malicious hackers. The hackers can then use the stolen data as leverage if the ransom isn’t paid.

Basically, it’s a combination of a ransomware attack and a data breach.

Attack Entry Point

In the case study shared by SentinelOne, the cyber criminals carried out multiple attacks before accessing the network.

One of the first attacks took place on Saturday, July 4th, 2020. The attackers most likely chose this date since the majority of employees (including security staff) would be away from work.

First, the attackers used Remote Desktop Protocol (RDP) to gain access to an internet-facing device. They then uploaded their beacon payload, disguised as a known Microsoft binary called netplwiz.exe. The payload had the same icon and description as the legitimate binary, and it appeared to be signed with a stolen certificate.

Behind the Scenes in a Maze Ransomware Attack

Tailor-Made Persistence Mechanisms

Using RDP as an entry method is pretty common, but the attackers creatively used persistence methods that were tailor-made to the machine they found themselves on.

For example, one host was running a SolarWindsOrion instance. The product uses RabbitMQ as the internal messaging component installed within the product. RabbitMQ is written in Erlang and uses the Erlang runtime service (erlsrv.exe).

By relying on this dependency chain, the attackers were able to spawn themselves in the erlsrv.exe process to gain persistence on the host.

SentinelOne experts noticed that the attackers dropped two Dynamic-Link Libraries (DLLs) containing their beacon stager to disk before beginning to interfere with the RabbitMQ service.

By dropping their beacon stagers in the same folder as erlsrv.exe, the attackers tricked the host into running their version.dll, which then loaded acluapi.dll containing the beacon.

After installing persistency, the attackers uploaded ngrok to C:\Windows\dwm.exe to use for tunneling. They also ran the command: sc config UI0Detect start= disabled. By disabling this service, the attackers would avoid alerting the user of any suspicious activity.

HTML Application Payload

When the attackers wanted to switch to a different server, they could use sc.exe to give them an online shell on that target.

They also used mshta to run an HTML Application (HTA) Payload that was hosted on their site. The HTA payload is a sophisticated code that’s obfuscated automatically and differently each time it’s requested from the server.

SentinelOne believes the attackers regularly used HTA to access remote computers before deploying their Cobalt Strike Beacon.

Tips for Preventing Maze Ransomware Attacks

The information shared by SentinelOne reveals that these attackers knew what they were doing. In addition to using commonly known methods, they also tailored specific attack mechanisms that allowed them to more easily compromise their targets.

This specific attack was caught and mitigated by SentinelOne, but not every organization is so lucky. There are still dozens of Maze Ransomware attacks every year, which makes strong security guidelines even more important.

In addition to standard security measures like antivirus and regular software updates, there are several policies you should put in place to keep your employees and data safe.

First, back up your files. In a traditional ransomware attack, regular backups will provide you with copies of all your data in case an attacker infiltrates your network.

But when it comes to Maze ransomware, backups alone won’t be enough. You’ll need to implement everything you can to secure your network, including user access management, employee training, and scanning your network for unusual behavior.

Keep Your Organization Protected

It’s impossible to prevent every attack that might come your way, but understanding your attackers and the methods they use will help you be more prepared. When it comes to Maze ransomware, prioritizing security will always be in your favor.

Here at CR-T, we take pride in providing enterprise-level IT services at prices that work for small businesses. Our team of experts can become your IT support department, responding to issues quickly, often before you even know about them. Covering everything from your servers and network infrastructure to your computers, workstations and mobile devices, we provide end-to-end solutions for all your technology needs.

Time and experience have helped us develop best practices and workflow procedures designed to keep your focus on your business, not your technology.

Blog & Media

Cloud Services

Managed IT Support

Cyber Security

Project Services

Servers/Infrastructure

Firewalls

Networking

Hardware/Software

Microsoft Products/Cloud

Amazon Web Services

Leave a Reply