SYMBOLCOMMON_NAMEaka. SYNONYMS
win.maze (Back to overview)

Maze

aka: ChaCha

Actor(s): FIN6, TA2101

Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.

Actors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam and various exploit kits (Spelevo, Fallout).

The code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions using signature-based detections.

References
2023-01-30CheckpointArie Olshtein
@online{olshtein:20230130:following:e442fcc, author = {Arie Olshtein}, title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}}, date = {2023-01-30}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/}, language = {English}, urldate = {2023-01-31} } Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-05Intel 471Intel 471
@online{471:20220505:cybercrime:f091e4f, author = {Intel 471}, title = {{Cybercrime loves company: Conti cooperated with other ransomware gangs}}, date = {2022-05-05}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker}, language = {English}, urldate = {2022-05-05} } Cybercrime loves company: Conti cooperated with other ransomware gangs
LockBit Maze RagnarLocker Ryuk
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-23splunkShannon Davis
@online{davis:20220323:gone:56f570f, author = {Shannon Davis}, title = {{Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed}}, date = {2022-03-23}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html}, language = {English}, urldate = {2022-03-25} } Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-02-23splunkShannon Davis, SURGe
@techreport{davis:20220223:empirically:fe03729, author = {Shannon Davis and SURGe}, title = {{An Empirically Comparative Analysis of Ransomware Binaries}}, date = {2022-02-23}, institution = {splunk}, url = {https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf}, language = {English}, urldate = {2022-03-25} } An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-02-09Security AffairsPierluigi Paganini
@online{paganini:20220209:master:b0b64b8, author = {Pierluigi Paganini}, title = {{Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online}}, date = {2022-02-09}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html}, language = {English}, urldate = {2022-02-10} } Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online
Egregor m0yv Maze Sekhmet
2022-02-09Bleeping ComputerLawrence Abrams
@online{abrams:20220209:ransomware:e36973b, author = {Lawrence Abrams}, title = {{Ransomware dev releases Egregor, Maze master decryption keys}}, date = {2022-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/}, language = {English}, urldate = {2022-02-10} } Ransomware dev releases Egregor, Maze master decryption keys
Egregor Maze Sekhmet
2021-11-03CERT-FRANSSI
@online{anssi:20211103:identification:3143cbb, author = {ANSSI}, title = {{Identification of a new cybercriminal group: Lockean}}, date = {2021-11-03}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/}, language = {English}, urldate = {2021-11-03} } Identification of a new cybercriminal group: Lockean
DoppelPaymer Egregor Maze PwndLocker REvil
2021-10-26ANSSI
@techreport{anssi:20211026:identification:9444ac3, author = {ANSSI}, title = {{Identification of a new cyber criminal group: Lockean}}, date = {2021-10-26}, institution = {}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf}, language = {English}, urldate = {2022-01-25} } Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil
2021-09-06cocomelonccocomelonc
@online{cocomelonc:20210906:av:215e5aa, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 2}}, date = {2021-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html}, language = {English}, urldate = {2022-11-28} } AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze Unidentified 090 (Lazarus)
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-10Bleeping ComputerSergiu Gatlan
@online{gatlan:20210810:crytek:59f98bc, author = {Sergiu Gatlan}, title = {{Crytek confirms Egregor ransomware attack, customer data theft}}, date = {2021-08-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/}, language = {English}, urldate = {2021-08-11} } Crytek confirms Egregor ransomware attack, customer data theft
Egregor Maze
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-12-13} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-07-09The RecordCatalin Cimpanu
@online{cimpanu:20210709:ransomwhere:bd77fbe, author = {Catalin Cimpanu}, title = {{Ransomwhere project wants to create a database of past ransomware payments}}, date = {2021-07-09}, organization = {The Record}, url = {https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/}, language = {English}, urldate = {2021-07-20} } Ransomwhere project wants to create a database of past ransomware payments
Egregor Mailto Maze REvil
2021-07-01DomainToolsChad Anderson
@online{anderson:20210701:most:39f64b8, author = {Chad Anderson}, title = {{The Most Prolific Ransomware Families: A Defenders Guide}}, date = {2021-07-01}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide}, language = {English}, urldate = {2021-07-11} } The Most Prolific Ransomware Families: A Defenders Guide
REvil Conti Egregor Maze REvil
2021-06-16ProofpointSelena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0, author = {Selena Larson and Daniel Blackford and Garrett M. Graff}, title = {{The First Step: Initial Access Leads to Ransomware}}, date = {2021-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware}, language = {English}, urldate = {2021-06-21} } The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker
2021-05-18Bleeping ComputerIonut Ilascu
@online{ilascu:20210518:darkside:d8e345b, author = {Ionut Ilascu}, title = {{DarkSide ransomware made $90 million in just nine months}}, date = {2021-05-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/}, language = {English}, urldate = {2021-06-07} } DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
2021-05-18The RecordCatalin Cimpanu
@online{cimpanu:20210518:darkside:14b6690, author = {Catalin Cimpanu}, title = {{Darkside gang estimated to have made over $90 million from ransomware attacks}}, date = {2021-05-18}, organization = {The Record}, url = {https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/}, language = {English}, urldate = {2021-05-19} } Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Bleeping ComputerLawrence Abrams
@online{abrams:20210507:data:c674b2b, author = {Lawrence Abrams}, title = {{Data leak marketplaces aim to take over the extortion economy}}, date = {2021-05-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/}, language = {English}, urldate = {2021-05-08} } Data leak marketplaces aim to take over the extortion economy
Babuk Maze
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-27CrowdStrikeJosh Dalman, Kamil Janton, Eben Kaplan
@online{dalman:20210427:ransomware:8242ac5, author = {Josh Dalman and Kamil Janton and Eben Kaplan}, title = {{Ransomware Preparedness: A Call to Action}}, date = {2021-04-27}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/}, language = {English}, urldate = {2021-05-31} } Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER
2021-04-07ANALYST1Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
@online{dimaggio:20210407:ransom:a109d6f, author = {Jon DiMaggio}, title = {{Ransom Mafia - Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, organization = {ANALYST1}, url = {https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel}, language = {English}, urldate = {2021-06-01} } Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03-02CERT-FRCERT-FR
@online{certfr:20210302:egregor:f0da4ec, author = {CERT-FR}, title = {{The Egregor Ransomware}}, date = {2021-03-02}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/}, language = {English}, urldate = {2021-06-29} } The Egregor Ransomware
Egregor Maze Sekhmet
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-02-25FireEyeBryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-11CTI LEAGUECTI LEAGUE
@techreport{league:20210211:ctil:69c2ab8, author = {CTI LEAGUE}, title = {{CTIL Darknet Report – 2021}}, date = {2021-02-11}, institution = {CTI LEAGUE}, url = {https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf}, language = {English}, urldate = {2021-02-20} } CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk
2021-02-04ChainanalysisChainalysis Team
@online{team:20210204:blockchain:4e63b2f, author = {Chainalysis Team}, title = {{Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains}}, date = {2021-02-04}, organization = {Chainanalysis}, url = {https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer}, language = {English}, urldate = {2021-02-06} } Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt
2021TalosTalos Incident Response
@techreport{response:2021:evicting:c795470, author = {Talos Incident Response}, title = {{Evicting Maze}}, date = {2021}, institution = {Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf}, language = {English}, urldate = {2021-05-26} } Evicting Maze
Cobalt Strike Maze
2021SecureworksSecureWorks
@online{secureworks:2021:threat:7e8aa73, author = {SecureWorks}, title = {{Threat Profile: GOLD VILLAGE}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-village}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD VILLAGE
Maze TA2101
2020-12-16AccenturePaul Mansfield
@online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-12-14Medium Killbitkillbit
@online{killbit:20201214:applying:75d0dde, author = {killbit}, title = {{Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware}}, date = {2020-12-14}, organization = {Medium Killbit}, url = {https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f}, language = {English}, urldate = {2020-12-17} } Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware
Maze
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-09CiscoDavid Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Fall 2020}}, date = {2020-12-09}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html}, language = {English}, urldate = {2020-12-10} } Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-12-08SophosSean Gallagher, Anand Aijan, Gabor Szappanos, Syed Shahram, Bill Kearney, Mark Loman, Peter Mackenzie, Sergio Bestulic
@online{gallagher:20201208:egregor:fe48cfd, author = {Sean Gallagher and Anand Aijan and Gabor Szappanos and Syed Shahram and Bill Kearney and Mark Loman and Peter Mackenzie and Sergio Bestulic}, title = {{Egregor ransomware: Maze’s heir apparent}}, date = {2020-12-08}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/}, language = {English}, urldate = {2020-12-08} } Egregor ransomware: Maze’s heir apparent
Egregor Maze
2020-12-07Minerva LabsTom Roter
@online{roter:20201207:egregor:2d3dced, author = {Tom Roter}, title = {{Egregor Ransomware - An In-Depth Analysis}}, date = {2020-12-07}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis}, language = {English}, urldate = {2020-12-09} } Egregor Ransomware - An In-Depth Analysis
Egregor Maze Sekhmet
2020-12-01Trend MicroRyan Flores
@online{flores:20201201:impact:415bf2e, author = {Ryan Flores}, title = {{The Impact of Modern Ransomware on Manufacturing Networks}}, date = {2020-12-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html}, language = {English}, urldate = {2020-12-08} } The Impact of Modern Ransomware on Manufacturing Networks
Maze Petya REvil
2020-11-18KELAVictoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-11Kaspersky LabsDmitry Bestuzhev, Fedor Sinitsyn
@online{bestuzhev:20201111:targeted:e2e0c3a, author = {Dmitry Bestuzhev and Fedor Sinitsyn}, title = {{Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”}}, date = {2020-11-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/targeted-ransomware-encrypting-data/99255/}, language = {English}, urldate = {2020-11-11} } Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”
Egregor Maze RagnarLocker
2020-11-06TelsyTelsy Research Team
@techreport{team:20201106:malware:7b6dd9d, author = {Telsy Research Team}, title = {{Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze}}, date = {2020-11-06}, institution = {Telsy}, url = {https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf}, language = {English}, urldate = {2020-11-09} } Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze
Maze
2020-10-29Bleeping ComputerLawrence Abrams
@online{abrams:20201029:maze:f90b399, author = {Lawrence Abrams}, title = {{Maze ransomware is shutting down its cybercrime operation}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/}, language = {English}, urldate = {2020-11-02} } Maze ransomware is shutting down its cybercrime operation
Egregor Maze
2020-10-28BitdefenderRuben Andrei Condor
@techreport{condor:20201028:decade:b8d7422, author = {Ruben Andrei Condor}, title = {{A Decade of WMI Abuse – an Overview of Techniques in Modern Malware}}, date = {2020-10-28}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-11-02} } A Decade of WMI Abuse – an Overview of Techniques in Modern Malware
sLoad Emotet Maze
2020-10-26CheckpointItay Cohen, Eyal Itkin
@online{cohen:20201026:exploit:9ec173c, author = {Itay Cohen and Eyal Itkin}, title = {{Exploit Developer Spotlight: The Story of PlayBit}}, date = {2020-10-26}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/}, language = {English}, urldate = {2020-10-27} } Exploit Developer Spotlight: The Story of PlayBit
Dyre Maze PyLocky Ramnit REvil
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-21Kaspersky LabsFedor Sinitsyn, Nikita Galimov, Vladimir Kuskov
@online{sinitsyn:20201021:life:5906110, author = {Fedor Sinitsyn and Nikita Galimov and Vladimir Kuskov}, title = {{Life of Maze ransomware}}, date = {2020-10-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/maze-ransomware/99137/}, language = {English}, urldate = {2020-10-23} } Life of Maze ransomware
Maze
2020-10-06CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201006:double:bb0f240, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 2}}, date = {2020-10-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/}, language = {English}, urldate = {2020-10-12} } Double Trouble: Ransomware with Data Leak Extortion, Part 2
Maze MedusaLocker REvil VIKING SPIDER
2020-10-01KELAVictoria Kivilevich
@online{kivilevich:20201001:to:fd3aa09, author = {Victoria Kivilevich}, title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}}, date = {2020-10-01}, organization = {KELA}, url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/}, language = {English}, urldate = {2021-05-07} } To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-25StateScoopBenjamin Freed
@online{freed:20200925:baltimore:296e7d1, author = {Benjamin Freed}, title = {{Baltimore ransomware attack was early attempt at data extortion, new report shows}}, date = {2020-09-25}, organization = {StateScoop}, url = {https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/}, language = {English}, urldate = {2021-05-28} } Baltimore ransomware attack was early attempt at data extortion, new report shows
Maze RobinHood OUTLAW SPIDER
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
@online{team:20200924:double:3b3ade6, author = {CrowdStrike Intelligence Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1}, language = {English}, urldate = {2021-05-31} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-09-22Sophos SecOpsGreg Iddon
@online{iddon:20200922:mtr:77e8701, author = {Greg Iddon}, title = {{MTR Casebook: Blocking a $15 million Maze ransomware attack}}, date = {2020-09-22}, organization = {Sophos SecOps}, url = {https://news.sophos.com/en-us/2020/09/22/mtr-casebook-blocking-a-15-million-maze-ransomware-attack/}, language = {English}, urldate = {2022-03-18} } MTR Casebook: Blocking a $15 million Maze ransomware attack
Maze
2020-09-17Bleeping ComputerLawrence Abrams
@online{abrams:20200917:maze:81b8c38, author = {Lawrence Abrams}, title = {{Maze ransomware now encrypts via virtual machines to evade detection}}, date = {2020-09-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/}, language = {English}, urldate = {2020-09-21} } Maze ransomware now encrypts via virtual machines to evade detection
Maze
2020-09-17SophosLabs UncutAndrew Brandt, Peter Mackenzie
@online{brandt:20200917:maze:714f603, author = {Andrew Brandt and Peter Mackenzie}, title = {{Maze attackers adopt Ragnar Locker virtual machine technique}}, date = {2020-09-17}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/}, language = {English}, urldate = {2020-09-21} } Maze attackers adopt Ragnar Locker virtual machine technique
Maze
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-20sensecycyberthreatinsider
@online{cyberthreatinsider:20200820:global:34ee2ea, author = {cyberthreatinsider}, title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}}, date = {2020-08-20}, organization = {sensecy}, url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/}, language = {English}, urldate = {2020-11-04} } Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk
2020-08-13SentinelOneSentinelLabs
@online{sentinellabs:20200813:case:4560aed, author = {SentinelLabs}, title = {{Case Study: Catching a Human-Operated Maze Ransomware Attack In Action}}, date = {2020-08-13}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/}, language = {English}, urldate = {2020-08-14} } Case Study: Catching a Human-Operated Maze Ransomware Attack In Action
Maze
2020-08-04ZDNetCatalin Cimpanu
@online{cimpanu:20200804:ransomware:e0320ee, author = {Catalin Cimpanu}, title = {{Ransomware gang publishes tens of GBs of internal data from LG and Xerox}}, date = {2020-08-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/}, language = {English}, urldate = {2020-08-18} } Ransomware gang publishes tens of GBs of internal data from LG and Xerox
Maze
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-22SentinelOneJason Reaves, Joshua Platt
@online{reaves:20200722:enter:71d9038, author = {Jason Reaves and Joshua Platt}, title = {{Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)}}, date = {2020-07-22}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/}, language = {English}, urldate = {2020-07-23} } Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader
2020-07-15MandiantNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot}, language = {English}, urldate = {2022-07-28} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake
2020-06-18Quick HealPreksha Saxena
@online{saxena:20200618:maze:76ca64b, author = {Preksha Saxena}, title = {{Maze ransomware continues to be a threat to the consumers}}, date = {2020-06-18}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/}, language = {English}, urldate = {2020-07-02} } Maze ransomware continues to be a threat to the consumers
Maze
2020-06-17CognizantCognizant
@techreport{cognizant:20200617:notice:37fe994, author = {Cognizant}, title = {{Notice of Data Breach}}, date = {2020-06-17}, institution = {Cognizant}, url = {https://oag.ca.gov/system/files/Letter%204.pdf}, language = {English}, urldate = {2020-06-18} } Notice of Data Breach
Maze
2020-06-16BleepingComputerSergiu Gatlan
@online{gatlan:20200616:chipmaker:0e801b8, author = {Sergiu Gatlan}, title = {{Chipmaker MaxLinear reports data breach after Maze Ransomware attack}}, date = {2020-06-16}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/}, language = {English}, urldate = {2020-06-17} } Chipmaker MaxLinear reports data breach after Maze Ransomware attack
Maze
2020-06-04Sophos Naked SecurityLisa Vaas
@online{vaas:20200604:nuclear:9d471e1, author = {Lisa Vaas}, title = {{Nuclear missile contractor hacked in Maze ransomware attack}}, date = {2020-06-04}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/}, language = {English}, urldate = {2020-06-04} } Nuclear missile contractor hacked in Maze ransomware attack
Maze
2020-05-21BrightTALK (FireEye)Kimberly Goody, Jeremy Kennelly
@online{goody:20200521:navigating:a2eae5f, author = {Kimberly Goody and Jeremy Kennelly}, title = {{Navigating MAZE: Analysis of a Rising Ransomware Threat}}, date = {2020-05-21}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat}, language = {English}, urldate = {2020-06-05} } Navigating MAZE: Analysis of a Rising Ransomware Threat
Maze
2020-05-12SophosLabs UncutSophos
@online{sophos:20200512:maze:5552394, author = {Sophos}, title = {{Maze ransomware: extorting victims for 1 year and counting}}, date = {2020-05-12}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/}, language = {English}, urldate = {2022-03-18} } Maze ransomware: extorting victims for 1 year and counting
Maze
2020-05-07FireEye IncKimberly Goody, Jeremy Kennelly, Joshua Shilko
@online{goody:20200507:navigating:7147cb7, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko}, title = {{Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents}}, date = {2020-05-07}, organization = {FireEye Inc}, url = {https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html}, language = {English}, urldate = {2020-05-11} } Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents
Maze
2020-05-07REDTEAM.PLAdam Ziaja
@online{ziaja:20200507:sodinokibi:f5c5cd1, author = {Adam Ziaja}, title = {{Sodinokibi / REvil ransomware}}, date = {2020-05-07}, organization = {REDTEAM.PL}, url = {https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html}, language = {English}, urldate = {2020-05-13} } Sodinokibi / REvil ransomware
Maze MimiKatz REvil
2020-05-04BluelivBlueliv Team
@online{team:20200504:escape:63ebdfa, author = {Blueliv Team}, title = {{Escape from the Maze}}, date = {2020-05-04}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/}, language = {English}, urldate = {2020-05-11} } Escape from the Maze
Maze
2020-05-01CrowdStrikeShaun Hurley
@online{hurley:20200501:many:22ed72c, author = {Shaun Hurley}, title = {{The Many Paths Through Maze}}, date = {2020-05-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/}, language = {English}, urldate = {2020-05-05} } The Many Paths Through Maze
Maze
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-18CognizantCognizant
@online{cognizant:20200418:cognizant:0e20ac0, author = {Cognizant}, title = {{Cognizant Security Incident Update}}, date = {2020-04-18}, organization = {Cognizant}, url = {https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update}, language = {English}, urldate = {2020-04-20} } Cognizant Security Incident Update
Maze
2020-04-18Bleeping ComputerLawrence Abrams
@online{abrams:20200418:it:bb2d626, author = {Lawrence Abrams}, title = {{IT services giant Cognizant suffers Maze Ransomware cyber attack}}, date = {2020-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/}, language = {English}, urldate = {2020-04-20} } IT services giant Cognizant suffers Maze Ransomware cyber attack
Maze
2020-03-26McAfeeAlexandre Mundo
@online{mundo:20200326:ransomware:05f2b18, author = {Alexandre Mundo}, title = {{Ransomware Maze}}, date = {2020-03-26}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/}, language = {English}, urldate = {2020-03-26} } Ransomware Maze
Maze
2020-03-26TechCrunchZack Whittaker
@online{whittaker:20200326:cyber:4b23d0a, author = {Zack Whittaker}, title = {{Cyber insurer Chubb had data stolen in Maze ransomware attack}}, date = {2020-03-26}, organization = {TechCrunch}, url = {https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/}, language = {English}, urldate = {2020-03-27} } Cyber insurer Chubb had data stolen in Maze ransomware attack
Maze
2020-03-25BitdefenderBitdefender Team
@techreport{team:20200325:technical:b3e1af1, author = {Bitdefender Team}, title = {{A Technical Look into Maze Ransomware}}, date = {2020-03-25}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-04-20} } A Technical Look into Maze Ransomware
Maze
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil
2020-03-12CyberbitDor Neemani, Omer Fishel, Hod Gavriel
@techreport{neemani:20200312:lost:80ccbd2, author = {Dor Neemani and Omer Fishel and Hod Gavriel}, title = {{Lost in the Maze}}, date = {2020-03-12}, institution = {Cyberbit}, url = {https://www.docdroid.net/dUpPY5s/maze.pdf}, language = {English}, urldate = {2020-03-22} } Lost in the Maze
Maze
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03Bleeping ComputerLawrence Abrams
@online{abrams:20200303:ransomware:8be6fa7, author = {Lawrence Abrams}, title = {{Ransomware Attackers Use Your Cloud Backups Against You}}, date = {2020-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/}, language = {English}, urldate = {2020-03-04} } Ransomware Attackers Use Your Cloud Backups Against You
DoppelPaymer Maze
2020-02-20McAfeeChristiaan Beek, Eamonn Ryan, Darren Fitzpatrick
@online{beek:20200220:csi:8525a7b, author = {Christiaan Beek and Eamonn Ryan and Darren Fitzpatrick}, title = {{CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II}}, date = {2020-02-20}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/}, language = {English}, urldate = {2021-05-13} } CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex
2020-01-30ZATAZDamien Bancal
@online{bancal:20200130:cyber:0a267d4, author = {Damien Bancal}, title = {{Cyber attaque à l’encontre des serveurs de Bouygues Construction}}, date = {2020-01-30}, organization = {ZATAZ}, url = {https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/}, language = {French}, urldate = {2020-02-03} } Cyber attaque à l’encontre des serveurs de Bouygues Construction
Maze
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-22DeloitteDeloitte
@online{deloitte:20200122:project:0a44796, author = {Deloitte}, title = {{Project Lurus}}, date = {2020-01-22}, organization = {Deloitte}, url = {https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF}, language = {English}, urldate = {2020-02-13} } Project Lurus
Maze
2020SecureworksSecureWorks
@online{secureworks:2020:gold:95fe871, author = {SecureWorks}, title = {{GOLD VILLAGE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-village}, language = {English}, urldate = {2020-05-23} } GOLD VILLAGE
Maze
2020BlackberryBlackberry Research
@techreport{research:2020:state:e5941af, author = {Blackberry Research}, title = {{State of Ransomware}}, date = {2020}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf}, language = {English}, urldate = {2021-01-01} } State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP
2019-12-24Bleeping ComputerLawrence Abrams
@online{abrams:20191224:maze:33a4e28, author = {Lawrence Abrams}, title = {{Maze Ransomware Releases Files Stolen from City of Pensacola}}, date = {2019-12-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/}, language = {English}, urldate = {2020-02-13} } Maze Ransomware Releases Files Stolen from City of Pensacola
Maze
2019-12-18Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20191218:maze:22cb5d6, author = {Albert Zsigovits}, title = {{Maze ransomware}}, date = {2019-12-18}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md}, language = {English}, urldate = {2020-04-20} } Maze ransomware
Maze
2019-12-17CiscoJJ Cummings, Dave Liebenberg
@online{cummings:20191217:incident:44acf5c, author = {JJ Cummings and Dave Liebenberg}, title = {{Incident Response lessons from recent Maze ransomware attacks}}, date = {2019-12-17}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html}, language = {English}, urldate = {2020-01-09} } Incident Response lessons from recent Maze ransomware attacks
Maze
2019-12-16KrebsOnSecurityBrian Krebs
@online{krebs:20191216:ransomware:f4d7d8c, author = {Brian Krebs}, title = {{Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up}}, date = {2019-12-16}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/}, language = {English}, urldate = {2020-01-08} } Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up
Maze
2019-12-11Bleeping ComputerLawrence Abrams
@online{abrams:20191211:maze:acb23da, author = {Lawrence Abrams}, title = {{Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand}}, date = {2019-12-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/}, language = {English}, urldate = {2020-01-09} } Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand
Maze
2019-11-21Bleeping ComputerLawrence Abrams
@online{abrams:20191121:allied:a3d69d7, author = {Lawrence Abrams}, title = {{Allied Universal Breached by Maze Ransomware, Stolen Data Leaked}}, date = {2019-11-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/}, language = {English}, urldate = {2020-01-08} } Allied Universal Breached by Maze Ransomware, Stolen Data Leaked
Maze
2019-11-14ProofpointBryan Campbell, Proofpoint Threat Insight Team
@online{campbell:20191114:ta2101:e79f6fb, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{TA2101 plays government imposter to distribute malware to German, Italian, and US organizations}}, date = {2019-11-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us}, language = {English}, urldate = {2019-11-27} } TA2101 plays government imposter to distribute malware to German, Italian, and US organizations
Maze TA2101
2019-11-08Twitter (@certbund)CERT-Bund
@online{certbund:20191108:spam:0630ad5, author = {CERT-Bund}, title = {{Tweet on Spam Mails containing MAZE}}, date = {2019-11-08}, organization = {Twitter (@certbund)}, url = {https://twitter.com/certbund/status/1192756294307995655}, language = {English}, urldate = {2020-01-08} } Tweet on Spam Mails containing MAZE
Maze
2019-10-18Bleeping ComputerSergiu Gatlan
@online{gatlan:20191018:maze:fb2c4b6, author = {Sergiu Gatlan}, title = {{Maze Ransomware Now Delivered by Spelevo Exploit Kit}}, date = {2019-10-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/}, language = {English}, urldate = {2019-12-17} } Maze Ransomware Now Delivered by Spelevo Exploit Kit
Maze
2019-05-13Amigo A
@online{a:20190513:chacha:840508a, author = {Amigo A}, title = {{ChaCha Ransomware}}, date = {2019-05-13}, url = {https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html}, language = {Russian}, urldate = {2019-12-02} } ChaCha Ransomware
Maze
2019CrowdStrikeCrowdStrike
@online{crowdstrike:2019:twisted:8dacf6c, author = {CrowdStrike}, title = {{Twisted Spider}}, date = {2019}, organization = {CrowdStrike}, url = {https://adversary.crowdstrike.com/adversary/twisted-spider/}, language = {English}, urldate = {2021-05-19} } Twisted Spider
Maze TA2101
Yara Rules
[TLP:WHITE] win_maze_auto (20230125 | Detects win.maze.)
rule win_maze_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.maze."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7509 c745f000000000 eb17 60 8b7d08 8b4d10 }
            // n = 6, score = 2400
            //   7509                 | jne                 0xb
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   eb17                 | jmp                 0x19
            //   60                   | pushal              
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]

        $sequence_1 = { 60 8b7d08 8b4d10 8b450c f3aa 61 8945f0 }
            // n = 7, score = 2400
            //   60                   | pushal              
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   61                   | popal               
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_2 = { 53 57 56 83ec10 8b4510 8b4d0c }
            // n = 6, score = 2400
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi
            //   83ec10               | sub                 esp, 0x10
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_3 = { 8945f0 c745f000000000 8b45f0 83c410 5e 5f 5b }
            // n = 7, score = 2400
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   83c410               | add                 esp, 0x10
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx

        $sequence_4 = { 837d0800 8945ec 894de8 8955e4 7509 c745f000000000 eb17 }
            // n = 7, score = 2400
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx
            //   7509                 | jne                 0xb
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   eb17                 | jmp                 0x19

        $sequence_5 = { 83ec10 8b4510 8b4d0c 8b5508 837d0800 8945ec 894de8 }
            // n = 7, score = 2400
            //   83ec10               | sub                 esp, 0x10
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx

        $sequence_6 = { c1e718 09d7 0fb65008 89bc2488000000 0fb6780a }
            // n = 5, score = 2300
            //   c1e718               | shl                 edi, 0x18
            //   09d7                 | or                  edi, edx
            //   0fb65008             | movzx               edx, byte ptr [eax + 8]
            //   89bc2488000000       | mov                 dword ptr [esp + 0x88], edi
            //   0fb6780a             | movzx               edi, byte ptr [eax + 0xa]

        $sequence_7 = { c1e718 09d7 0fb65016 09f1 }
            // n = 4, score = 2300
            //   c1e718               | shl                 edi, 0x18
            //   09d7                 | or                  edi, edx
            //   0fb65016             | movzx               edx, byte ptr [eax + 0x16]
            //   09f1                 | or                  ecx, esi

        $sequence_8 = { 41 41 41 41 41 }
            // n = 5, score = 1600
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx

        $sequence_9 = { 6a00 6801001200 ff15???????? 85c0 a3???????? 7533 }
            // n = 6, score = 1400
            //   6a00                 | push                0
            //   6801001200           | push                0x120001
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   7533                 | jne                 0x35

        $sequence_10 = { 8b8c8a10080000 c1e909 0bc1 898578feffff ba04000000 }
            // n = 5, score = 100
            //   8b8c8a10080000       | mov                 ecx, dword ptr [edx + ecx*4 + 0x810]
            //   c1e909               | shr                 ecx, 9
            //   0bc1                 | or                  eax, ecx
            //   898578feffff         | mov                 dword ptr [ebp - 0x188], eax
            //   ba04000000           | mov                 edx, 4

        $sequence_11 = { 899568ffffff 33c0 e9???????? c645a443 c645a572 c645a679 }
            // n = 6, score = 100
            //   899568ffffff         | mov                 dword ptr [ebp - 0x98], edx
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   c645a443             | mov                 byte ptr [ebp - 0x5c], 0x43
            //   c645a572             | mov                 byte ptr [ebp - 0x5b], 0x72
            //   c645a679             | mov                 byte ptr [ebp - 0x5a], 0x79

        $sequence_12 = { 8b0485a8b44100 0fbe440804 83e040 5d c3 }
            // n = 5, score = 100
            //   8b0485a8b44100       | mov                 eax, dword ptr [eax*4 + 0x41b4a8]
            //   0fbe440804           | movsx               eax, byte ptr [eax + ecx + 4]
            //   83e040               | and                 eax, 0x40
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_13 = { 8b4508 8b8c1040100000 c1e10a ba04000000 6bc20d }
            // n = 5, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b8c1040100000       | mov                 ecx, dword ptr [eax + edx + 0x1040]
            //   c1e10a               | shl                 ecx, 0xa
            //   ba04000000           | mov                 edx, 4
            //   6bc20d               | imul                eax, edx, 0xd

        $sequence_14 = { 8b948100080000 0395acfeffff 8b85b4feffff 3385b0feffff 03d0 }
            // n = 5, score = 100
            //   8b948100080000       | mov                 edx, dword ptr [ecx + eax*4 + 0x800]
            //   0395acfeffff         | add                 edx, dword ptr [ebp - 0x154]
            //   8b85b4feffff         | mov                 eax, dword ptr [ebp - 0x14c]
            //   3385b0feffff         | xor                 eax, dword ptr [ebp - 0x150]
            //   03d0                 | add                 edx, eax

        $sequence_15 = { 8b840a40100000 c1e00a b904000000 6bd10a 8b4d08 8b941140100000 c1ea16 }
            // n = 7, score = 100
            //   8b840a40100000       | mov                 eax, dword ptr [edx + ecx + 0x1040]
            //   c1e00a               | shl                 eax, 0xa
            //   b904000000           | mov                 ecx, 4
            //   6bd10a               | imul                edx, ecx, 0xa
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b941140100000       | mov                 edx, dword ptr [ecx + edx + 0x1040]
            //   c1ea16               | shr                 edx, 0x16

        $sequence_16 = { c1e918 0bd1 899520feffff 8b9528feffff 339524feffff }
            // n = 5, score = 100
            //   c1e918               | shr                 ecx, 0x18
            //   0bd1                 | or                  edx, ecx
            //   899520feffff         | mov                 dword ptr [ebp - 0x1e0], edx
            //   8b9528feffff         | mov                 edx, dword ptr [ebp - 0x1d8]
            //   339524feffff         | xor                 edx, dword ptr [ebp - 0x1dc]

        $sequence_17 = { 0bc2 898560ffffff 8b8568ffffff 338564ffffff }
            // n = 4, score = 100
            //   0bc2                 | or                  eax, edx
            //   898560ffffff         | mov                 dword ptr [ebp - 0xa0], eax
            //   8b8568ffffff         | mov                 eax, dword ptr [ebp - 0x98]
            //   338564ffffff         | xor                 eax, dword ptr [ebp - 0x9c]

    condition:
        7 of them and filesize < 2318336
}
Download all Yara Rules