SYMBOLCOMMON_NAMEaka. SYNONYMS
win.maze (Back to overview)

Maze

aka: ChaCha

Actor(s): FIN6, TA2101

Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.

Actors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam and various exploit kits (Spelevo, Fallout).

The code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions using signature-based detections.

References
2020-11-18KELAVictoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations
Conti Ransomware DoppelPaymer Egregor LockBit Maze REvil Snake Ransomware
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Ransomware Clop Conti Ransomware DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX Ransomware
2020-11-11Kaspersky LabsDmitry Bestuzhev, Fedor Sinitsyn
@online{bestuzhev:20201111:targeted:e2e0c3a, author = {Dmitry Bestuzhev and Fedor Sinitsyn}, title = {{Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”}}, date = {2020-11-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/targeted-ransomware-encrypting-data/99255/}, language = {English}, urldate = {2020-11-11} } Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”
Egregor Maze RagnarLocker
2020-11-06TelsyTelsy Research Team
@techreport{team:20201106:malware:7b6dd9d, author = {Telsy Research Team}, title = {{Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze}}, date = {2020-11-06}, institution = {Telsy}, url = {https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf}, language = {English}, urldate = {2020-11-09} } Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze
Maze
2020-10-29Bleeping ComputerLawrence Abrams
@online{abrams:20201029:maze:f90b399, author = {Lawrence Abrams}, title = {{Maze ransomware is shutting down its cybercrime operation}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/}, language = {English}, urldate = {2020-11-02} } Maze ransomware is shutting down its cybercrime operation
Egregor Maze
2020-10-28BitdefenderRuben Andrei Condor
@techreport{condor:20201028:decade:b8d7422, author = {Ruben Andrei Condor}, title = {{A Decade of WMI Abuse – an Overview of Techniques in Modern Malware}}, date = {2020-10-28}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-11-02} } A Decade of WMI Abuse – an Overview of Techniques in Modern Malware
sLoad Emotet Maze
2020-10-26CheckpointItay Cohen, Eyal Itkin
@online{cohen:20201026:exploit:9ec173c, author = {Itay Cohen and Eyal Itkin}, title = {{Exploit Developer Spotlight: The Story of PlayBit}}, date = {2020-10-26}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/}, language = {English}, urldate = {2020-10-27} } Exploit Developer Spotlight: The Story of PlayBit
Dyre Maze PyLocky Ramnit REvil
2020-10-21Kaspersky LabsFedor Sinitsyn, Nikita Galimov, Vladimir Kuskov
@online{sinitsyn:20201021:life:5906110, author = {Fedor Sinitsyn and Nikita Galimov and Vladimir Kuskov}, title = {{Life of Maze ransomware}}, date = {2020-10-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/maze-ransomware/99137/}, language = {English}, urldate = {2020-10-23} } Life of Maze ransomware
Maze
2020-10-06CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201006:double:bb0f240, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 2}}, date = {2020-10-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/}, language = {English}, urldate = {2020-10-12} } Double Trouble: Ransomware with Data Leak Extortion, Part 2
Maze MedusaLocker REvil
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker
2020-09-17Bleeping ComputerLawrence Abrams
@online{abrams:20200917:maze:81b8c38, author = {Lawrence Abrams}, title = {{Maze ransomware now encrypts via virtual machines to evade detection}}, date = {2020-09-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/}, language = {English}, urldate = {2020-09-21} } Maze ransomware now encrypts via virtual machines to evade detection
Maze
2020-09-17SophosLabs UncutAndrew Brandt, Peter Mackenzie
@online{brandt:20200917:maze:714f603, author = {Andrew Brandt and Peter Mackenzie}, title = {{Maze attackers adopt Ragnar Locker virtual machine technique}}, date = {2020-09-17}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/}, language = {English}, urldate = {2020-09-21} } Maze attackers adopt Ragnar Locker virtual machine technique
Maze
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-20sensecycyberthreatinsider
@online{cyberthreatinsider:20200820:global:34ee2ea, author = {cyberthreatinsider}, title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}}, date = {2020-08-20}, organization = {sensecy}, url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/}, language = {English}, urldate = {2020-11-04} } Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk
2020-08-13SentinelOneSentinelLabs
@online{sentinellabs:20200813:case:4560aed, author = {SentinelLabs}, title = {{Case Study: Catching a Human-Operated Maze Ransomware Attack In Action}}, date = {2020-08-13}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/}, language = {English}, urldate = {2020-08-14} } Case Study: Catching a Human-Operated Maze Ransomware Attack In Action
Maze
2020-08-04ZDNetCatalin Cimpanu
@online{cimpanu:20200804:ransomware:e0320ee, author = {Catalin Cimpanu}, title = {{Ransomware gang publishes tens of GBs of internal data from LG and Xerox}}, date = {2020-08-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/}, language = {English}, urldate = {2020-08-18} } Ransomware gang publishes tens of GBs of internal data from LG and Xerox
Maze
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-07-22SentinelOneJason Reaves, Joshua Platt
@online{reaves:20200722:enter:71d9038, author = {Jason Reaves and Joshua Platt}, title = {{Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)}}, date = {2020-07-22}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/}, language = {English}, urldate = {2020-07-23} } Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader
2020-07-15FireEyeNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Ransomware Snake Ransomware
2020-06-18Quick HealPreksha Saxena
@online{saxena:20200618:maze:76ca64b, author = {Preksha Saxena}, title = {{Maze ransomware continues to be a threat to the consumers}}, date = {2020-06-18}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/}, language = {English}, urldate = {2020-07-02} } Maze ransomware continues to be a threat to the consumers
Maze
2020-06-17CognizantCognizant
@techreport{cognizant:20200617:notice:37fe994, author = {Cognizant}, title = {{Notice of Data Breach}}, date = {2020-06-17}, institution = {Cognizant}, url = {https://oag.ca.gov/system/files/Letter%204.pdf}, language = {English}, urldate = {2020-06-18} } Notice of Data Breach
Maze
2020-06-16BleepingComputerSergiu Gatlan
@online{gatlan:20200616:chipmaker:0e801b8, author = {Sergiu Gatlan}, title = {{Chipmaker MaxLinear reports data breach after Maze Ransomware attack}}, date = {2020-06-16}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/}, language = {English}, urldate = {2020-06-17} } Chipmaker MaxLinear reports data breach after Maze Ransomware attack
Maze
2020-06-04Sophos Naked SecurityLisa Vaas
@online{vaas:20200604:nuclear:9d471e1, author = {Lisa Vaas}, title = {{Nuclear missile contractor hacked in Maze ransomware attack}}, date = {2020-06-04}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/}, language = {English}, urldate = {2020-06-04} } Nuclear missile contractor hacked in Maze ransomware attack
Maze
2020-05-21BrightTALK (FireEye)Kimberly Goody, Jeremy Kennelly
@online{goody:20200521:navigating:a2eae5f, author = {Kimberly Goody and Jeremy Kennelly}, title = {{Navigating MAZE: Analysis of a Rising Ransomware Threat}}, date = {2020-05-21}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat}, language = {English}, urldate = {2020-06-05} } Navigating MAZE: Analysis of a Rising Ransomware Threat
Maze
2020-05-07FireEye IncKimberly Goody, Jeremy Kennelly, Joshua Shilko
@online{goody:20200507:navigating:7147cb7, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko}, title = {{Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents}}, date = {2020-05-07}, organization = {FireEye Inc}, url = {https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html}, language = {English}, urldate = {2020-05-11} } Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents
Maze
2020-05-07REDTEAM.PLAdam Ziaja
@online{ziaja:20200507:sodinokibi:f5c5cd1, author = {Adam Ziaja}, title = {{Sodinokibi / REvil ransomware}}, date = {2020-05-07}, organization = {REDTEAM.PL}, url = {https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html}, language = {English}, urldate = {2020-05-13} } Sodinokibi / REvil ransomware
Maze MimiKatz REvil
2020-05-04BluelivBlueliv Team
@online{team:20200504:escape:63ebdfa, author = {Blueliv Team}, title = {{Escape from the Maze}}, date = {2020-05-04}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/}, language = {English}, urldate = {2020-05-11} } Escape from the Maze
Maze
2020-05-01CrowdStrikeShaun Hurley
@online{hurley:20200501:many:22ed72c, author = {Shaun Hurley}, title = {{The Many Paths Through Maze}}, date = {2020-05-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/}, language = {English}, urldate = {2020-05-05} } The Many Paths Through Maze
Maze
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood
2020-04-18CognizantCognizant
@online{cognizant:20200418:cognizant:0e20ac0, author = {Cognizant}, title = {{Cognizant Security Incident Update}}, date = {2020-04-18}, organization = {Cognizant}, url = {https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update}, language = {English}, urldate = {2020-04-20} } Cognizant Security Incident Update
Maze
2020-04-18Bleeping ComputerLawrence Abrams
@online{abrams:20200418:it:bb2d626, author = {Lawrence Abrams}, title = {{IT services giant Cognizant suffers Maze Ransomware cyber attack}}, date = {2020-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/}, language = {English}, urldate = {2020-04-20} } IT services giant Cognizant suffers Maze Ransomware cyber attack
Maze
2020-03-26TechCrunchZack Whittaker
@online{whittaker:20200326:cyber:4b23d0a, author = {Zack Whittaker}, title = {{Cyber insurer Chubb had data stolen in Maze ransomware attack}}, date = {2020-03-26}, organization = {TechCrunch}, url = {https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/}, language = {English}, urldate = {2020-03-27} } Cyber insurer Chubb had data stolen in Maze ransomware attack
Maze
2020-03-26McAfeeAlexandre Mundo
@online{mundo:20200326:ransomware:05f2b18, author = {Alexandre Mundo}, title = {{Ransomware Maze}}, date = {2020-03-26}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/}, language = {English}, urldate = {2020-03-26} } Ransomware Maze
Maze
2020-03-25BitdefenderBitdefender Team
@techreport{team:20200325:technical:b3e1af1, author = {Bitdefender Team}, title = {{A Technical Look into Maze Ransomware}}, date = {2020-03-25}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-04-20} } A Technical Look into Maze Ransomware
Maze
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil
2020-03-12CyberbitDor Neemani, Omer Fishel, Hod Gavriel
@techreport{neemani:20200312:lost:80ccbd2, author = {Dor Neemani and Omer Fishel and Hod Gavriel}, title = {{Lost in the Maze}}, date = {2020-03-12}, institution = {Cyberbit}, url = {https://www.docdroid.net/dUpPY5s/maze.pdf}, language = {English}, urldate = {2020-03-22} } Lost in the Maze
Maze
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03Bleeping ComputerLawrence Abrams
@online{abrams:20200303:ransomware:8be6fa7, author = {Lawrence Abrams}, title = {{Ransomware Attackers Use Your Cloud Backups Against You}}, date = {2020-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/}, language = {English}, urldate = {2020-03-04} } Ransomware Attackers Use Your Cloud Backups Against You
DoppelPaymer Maze
2020-01-30ZATAZDamien Bancal
@online{bancal:20200130:cyber:0a267d4, author = {Damien Bancal}, title = {{Cyber attaque à l’encontre des serveurs de Bouygues Construction}}, date = {2020-01-30}, organization = {ZATAZ}, url = {https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/}, language = {French}, urldate = {2020-02-03} } Cyber attaque à l’encontre des serveurs de Bouygues Construction
Maze
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-22DeloitteDeloitte
@online{deloitte:20200122:project:0a44796, author = {Deloitte}, title = {{Project Lurus}}, date = {2020-01-22}, organization = {Deloitte}, url = {https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF}, language = {English}, urldate = {2020-02-13} } Project Lurus
Maze
2020SecureworksSecureWorks
@online{secureworks:2020:gold:95fe871, author = {SecureWorks}, title = {{GOLD VILLAGE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-village}, language = {English}, urldate = {2020-05-23} } GOLD VILLAGE
Maze
2019-12-24Bleeping ComputerLawrence Abrams
@online{abrams:20191224:maze:33a4e28, author = {Lawrence Abrams}, title = {{Maze Ransomware Releases Files Stolen from City of Pensacola}}, date = {2019-12-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/}, language = {English}, urldate = {2020-02-13} } Maze Ransomware Releases Files Stolen from City of Pensacola
Maze
2019-12-18Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20191218:maze:22cb5d6, author = {Albert Zsigovits}, title = {{Maze ransomware}}, date = {2019-12-18}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md}, language = {English}, urldate = {2020-04-20} } Maze ransomware
Maze
2019-12-17CiscoJJ Cummings, Dave Liebenberg
@online{cummings:20191217:incident:44acf5c, author = {JJ Cummings and Dave Liebenberg}, title = {{Incident Response lessons from recent Maze ransomware attacks}}, date = {2019-12-17}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html}, language = {English}, urldate = {2020-01-09} } Incident Response lessons from recent Maze ransomware attacks
Maze
2019-12-16KrebsOnSecurityBrian Krebs
@online{krebs:20191216:ransomware:f4d7d8c, author = {Brian Krebs}, title = {{Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up}}, date = {2019-12-16}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/}, language = {English}, urldate = {2020-01-08} } Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up
Maze
2019-12-11Bleeping ComputerLawrence Abrams
@online{abrams:20191211:maze:acb23da, author = {Lawrence Abrams}, title = {{Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand}}, date = {2019-12-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/}, language = {English}, urldate = {2020-01-09} } Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand
Maze
2019-11-21Bleeping ComputerLawrence Abrams
@online{abrams:20191121:allied:a3d69d7, author = {Lawrence Abrams}, title = {{Allied Universal Breached by Maze Ransomware, Stolen Data Leaked}}, date = {2019-11-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/}, language = {English}, urldate = {2020-01-08} } Allied Universal Breached by Maze Ransomware, Stolen Data Leaked
Maze
2019-11-14ProofpointBryan Campbell, Proofpoint Threat Insight Team
@online{campbell:20191114:ta2101:e79f6fb, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{TA2101 plays government imposter to distribute malware to German, Italian, and US organizations}}, date = {2019-11-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us}, language = {English}, urldate = {2019-11-27} } TA2101 plays government imposter to distribute malware to German, Italian, and US organizations
Maze TA2101
2019-11-08Twitter (@certbund)CERT-Bund
@online{certbund:20191108:spam:0630ad5, author = {CERT-Bund}, title = {{Tweet on Spam Mails containing MAZE}}, date = {2019-11-08}, organization = {Twitter (@certbund)}, url = {https://twitter.com/certbund/status/1192756294307995655}, language = {English}, urldate = {2020-01-08} } Tweet on Spam Mails containing MAZE
Maze
2019-10-18Bleeping ComputerSergiu Gatlan
@online{gatlan:20191018:maze:fb2c4b6, author = {Sergiu Gatlan}, title = {{Maze Ransomware Now Delivered by Spelevo Exploit Kit}}, date = {2019-10-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/}, language = {English}, urldate = {2019-12-17} } Maze Ransomware Now Delivered by Spelevo Exploit Kit
Maze
2019-05-13Amigo A
@online{a:20190513:chacha:840508a, author = {Amigo A}, title = {{ChaCha Ransomware}}, date = {2019-05-13}, url = {https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html}, language = {Russian}, urldate = {2019-12-02} } ChaCha Ransomware
Maze
Yara Rules
[TLP:WHITE] win_maze_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_maze_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 60 8b7d08 8b4d10 8b450c f3aa 61 8945f0 }
            // n = 7, score = 2100
            //   60                   | pushal              
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   61                   | popal               
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_1 = { 837d0800 8945ec 894de8 8955e4 }
            // n = 4, score = 2100
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx

        $sequence_2 = { 894de8 8955e4 7509 c745f000000000 }
            // n = 4, score = 2100
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx
            //   7509                 | jne                 0xb
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0

        $sequence_3 = { 7509 c745f000000000 eb17 60 }
            // n = 4, score = 2100
            //   7509                 | jne                 0xb
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   eb17                 | jmp                 0x19
            //   60                   | pushal              

        $sequence_4 = { 61 8945f0 c745f000000000 8b45f0 83c410 5e 5f }
            // n = 7, score = 2100
            //   61                   | popal               
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   83c410               | add                 esp, 0x10
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_5 = { 89e5 53 57 56 83ec10 8b4510 8b4d0c }
            // n = 7, score = 2100
            //   89e5                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi
            //   83ec10               | sub                 esp, 0x10
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_6 = { 8b4510 8b4d0c 8b5508 837d0800 }
            // n = 4, score = 2100
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0

        $sequence_7 = { 8b44245c 81c500000001 8b542404 894c241c }
            // n = 4, score = 2000
            //   8b44245c             | mov                 eax, dword ptr [esp + 0x5c]
            //   81c500000001         | add                 ebp, 0x1000000
            //   8b542404             | mov                 edx, dword ptr [esp + 4]
            //   894c241c             | mov                 dword ptr [esp + 0x1c], ecx

        $sequence_8 = { 41 41 41 41 41 41 41 }
            // n = 7, score = 1500
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx

        $sequence_9 = { 895584 8b55fc 8b4508 8b4c9018 c1e109 8b55fc }
            // n = 6, score = 100
            //   895584               | mov                 dword ptr [ebp - 0x7c], edx
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4c9018             | mov                 ecx, dword ptr [eax + edx*4 + 0x18]
            //   c1e109               | shl                 ecx, 9
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_10 = { 8b840a00100000 c1e810 8845e6 0fb64de7 }
            // n = 4, score = 100
            //   8b840a00100000       | mov                 eax, dword ptr [edx + ecx + 0x1000]
            //   c1e810               | shr                 eax, 0x10
            //   8845e6               | mov                 byte ptr [ebp - 0x1a], al
            //   0fb64de7             | movzx               ecx, byte ptr [ebp - 0x19]

        $sequence_11 = { 8b5508 8b45ac 33448a0c b904000000 }
            // n = 4, score = 100
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b45ac               | mov                 eax, dword ptr [ebp - 0x54]
            //   33448a0c             | xor                 eax, dword ptr [edx + ecx*4 + 0xc]
            //   b904000000           | mov                 ecx, 4

        $sequence_12 = { b804000000 6bc807 8b5508 8a840a00100000 }
            // n = 4, score = 100
            //   b804000000           | mov                 eax, 4
            //   6bc807               | imul                ecx, eax, 7
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8a840a00100000       | mov                 al, byte ptr [edx + ecx + 0x1000]

        $sequence_13 = { 8b7508 8b848694100000 89848aa4100000 ebd5 }
            // n = 4, score = 100
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b848694100000       | mov                 eax, dword ptr [esi + eax*4 + 0x1094]
            //   89848aa4100000       | mov                 dword ptr [edx + ecx*4 + 0x10a4], eax
            //   ebd5                 | jmp                 0xffffffd7

        $sequence_14 = { 89840a40100000 8b4dfc 8b5508 8b848a1c080000 c1e017 8b4dfc }
            // n = 6, score = 100
            //   89840a40100000       | mov                 dword ptr [edx + ecx + 0x1040], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b848a1c080000       | mov                 eax, dword ptr [edx + ecx*4 + 0x81c]
            //   c1e017               | shl                 eax, 0x17
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_15 = { 03848a00040000 8985a8feffff 8b45fc 8b4d08 8b948100080000 }
            // n = 5, score = 100
            //   03848a00040000       | add                 eax, dword ptr [edx + ecx*4 + 0x400]
            //   8985a8feffff         | mov                 dword ptr [ebp - 0x158], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b948100080000       | mov                 edx, dword ptr [ecx + eax*4 + 0x800]

        $sequence_16 = { 8b4dfc 8b7508 8b8c8e84100000 890c90 ebd9 }
            // n = 5, score = 100
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b8c8e84100000       | mov                 ecx, dword ptr [esi + ecx*4 + 0x1084]
            //   890c90               | mov                 dword ptr [eax + edx*4], ecx
            //   ebd9                 | jmp                 0xffffffdb

    condition:
        7 of them and filesize < 2318336
}
Download all Yara Rules