Maze (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.maze (Back to overview)

Maze

aka: ChaCha

Actor(s): FIN6, TA2101

VTCollection

Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.

Actors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam and various exploit kits (Spelevo, Fallout).

The code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions using signature-based detections.

References

2024-05-01 ⋅ Natto Thoughts ⋅ Natto Team
Ransom-War: Russian Extortion Operations as Hybrid Warfare, Part One
Clop Conti Maze TrickBot

2024-02-15 ⋅ Department of Justice ⋅ Office of Public Affairs
Foreign National Pleads Guilty to Role in Cybercrime Schemes Involving Tens of Millions of Dollars in Losses
Egregor IcedID Maze Zeus

2024-02-15 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Zeus, IcedID malware gangs leader pleads guilty, faces 40 years in prison
Egregor IcedID Maze Zeus

2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-05 ⋅ Intel 471 ⋅ Intel 471
Cybercrime loves company: Conti cooperated with other ransomware gangs
LockBit Maze RagnarLocker Ryuk

2022-03-31 ⋅ Trellix ⋅ Jambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot

2022-03-23 ⋅ splunk ⋅ Shannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-02-09 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Ransomware dev releases Egregor, Maze master decryption keys
Egregor Maze Sekhmet

2022-02-09 ⋅ Security Affairs ⋅ Pierluigi Paganini
Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online
Egregor m0yv Maze Sekhmet

2021-11-03 ⋅ CERT-FR ⋅ ANSSI
Identification of a new cybercriminal group: Lockean
DoppelPaymer Egregor Maze PwndLocker REvil

2021-10-26 ⋅ ANSSI
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil

2021-09-06 ⋅ cocomelonc ⋅ cocomelonc
AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-08-10 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Crytek confirms Egregor ransomware attack, customer data theft
Egregor Maze

2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet

2021-07-09 ⋅ The Record ⋅ Catalin Cimpanu
Ransomwhere project wants to create a database of past ransomware payments
Egregor Mailto Maze REvil

2021-07-01 ⋅ DomainTools ⋅ Chad Anderson
The Most Prolific Ransomware Families: A Defenders Guide
REvil Conti Egregor Maze REvil

2021-06-16 ⋅ Proofpoint ⋅ Daniel Blackford, Garrett M. Graff, Selena Larson
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker TA570 TA575 TA577

2021-05-18 ⋅ The Record ⋅ Catalin Cimpanu
Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk

2021-05-18 ⋅ Bleeping Computer ⋅ Ionut Ilascu
DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-05-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Data leak marketplaces aim to take over the extortion economy
Babuk Maze

2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX

2021-04-27 ⋅ CrowdStrike ⋅ Eben Kaplan, Josh Dalman, Kamil Janton
Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER

2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio
Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER

2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio
Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER

2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker

2021-03-02 ⋅ CERT-FR ⋅ CERT-FR
The Egregor Ransomware
Egregor Maze Sekhmet

2021-03-01 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team

2021-02-25 ⋅ FireEye ⋅ Brendan McKeague, Bryce Abdo, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-11 ⋅ CTI LEAGUE ⋅ CTI LEAGUE
CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk

2021-02-04 ⋅ Chainanalysis ⋅ Chainalysis Team
Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt

2021-01-01 ⋅ Talos ⋅ Talos Incident Response
Evicting Maze
Cobalt Strike Maze

2021-01-01 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD VILLAGE
Maze TA2101

2020-12-16 ⋅ Accenture ⋅ Paul Mansfield
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt

2020-12-14 ⋅ Medium Killbit ⋅ killbit
Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware
Maze

2020-12-10 ⋅ US-CERT ⋅ FBI, MS-ISAC, US-CERT
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus

2020-12-09 ⋅ Cisco ⋅ Caitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk

2020-12-08 ⋅ Sophos ⋅ Anand Aijan, Bill Kearney, Gabor Szappanos, Mark Loman, Peter Mackenzie, Sean Gallagher, Sergio Bestulic, Syed Shahram
Egregor ransomware: Maze’s heir apparent
Egregor Maze

2020-12-07 ⋅ Minerva Labs ⋅ Tom Roter
Egregor Ransomware - An In-Depth Analysis
Egregor Maze Sekhmet

2020-12-01 ⋅ Trend Micro ⋅ Ryan Flores
The Impact of Modern Ransomware on Manufacturing Networks
Maze Petya REvil

2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich
Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake

2020-11-16 ⋅ Intel 471 ⋅ Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX

2020-11-11 ⋅ Kaspersky Labs ⋅ Dmitry Bestuzhev, Fedor Sinitsyn
Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”
Egregor Maze RagnarLocker

2020-11-06 ⋅ Telsy ⋅ Telsy Research Team
Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze
Maze

2020-10-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Maze ransomware is shutting down its cybercrime operation
Egregor Maze

2020-10-28 ⋅ Bitdefender ⋅ Ruben Andrei Condor
A Decade of WMI Abuse – an Overview of Techniques in Modern Malware
sLoad Emotet Maze

2020-10-26 ⋅ Checkpoint ⋅ Eyal Itkin, Itay Cohen
Exploit Developer Spotlight: The Story of PlayBit
Dyre Maze PyLocky Ramnit REvil

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt

2020-10-21 ⋅ Kaspersky Labs ⋅ Fedor Sinitsyn, Nikita Galimov, Vladimir Kuskov
Life of Maze ransomware
Maze

2020-10-06 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 2
Maze MedusaLocker REvil VIKING SPIDER

2020-10-01 ⋅ KELA ⋅ Victoria Kivilevich
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt

2020-09-29 ⋅ Microsoft ⋅ Microsoft
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot

2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER

2020-09-25 ⋅ StateScoop ⋅ Benjamin Freed
Baltimore ransomware attack was early attempt at data extortion, new report shows
Maze RobinHood OUTLAW SPIDER

2020-09-24 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER

2020-09-22 ⋅ Sophos SecOps ⋅ Greg Iddon
MTR Casebook: Blocking a $15 million Maze ransomware attack
Maze

2020-09-17 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Maze ransomware now encrypts via virtual machines to evade detection
Maze

2020-09-17 ⋅ SophosLabs Uncut ⋅ Andrew Brandt, Peter Mackenzie
Maze attackers adopt Ragnar Locker virtual machine technique
Maze

2020-09-01 ⋅ Cisco Talos ⋅ Caitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk

2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet

2020-08-20 ⋅ sensecy ⋅ cyberthreatinsider
Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk

2020-08-13 ⋅ SentinelOne ⋅ SentinelLabs
Case Study: Catching a Human-Operated Maze Ransomware Attack In Action
Maze

2020-08-04 ⋅ ZDNet ⋅ Catalin Cimpanu
Ransomware gang publishes tens of GBs of internal data from LG and Xerox
Maze

2020-08-01 ⋅ Temple University ⋅ CARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-07-22 ⋅ SentinelOne ⋅ Jason Reaves, Joshua Platt
Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader

2020-07-15 ⋅ Mandiant ⋅ Corey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake

2020-06-18 ⋅ Quick Heal ⋅ Preksha Saxena
Maze ransomware continues to be a threat to the consumers
Maze

2020-06-17 ⋅ Cognizant ⋅ Cognizant
Notice of Data Breach
Maze

2020-06-16 ⋅ BleepingComputer ⋅ Sergiu Gatlan
Chipmaker MaxLinear reports data breach after Maze Ransomware attack
Maze

2020-06-04 ⋅ Sophos Naked Security ⋅ Lisa Vaas
Nuclear missile contractor hacked in Maze ransomware attack
Maze

2020-05-21 ⋅ BrightTALK (FireEye) ⋅ Jeremy Kennelly, Kimberly Goody
Navigating MAZE: Analysis of a Rising Ransomware Threat
Maze

2020-05-12 ⋅ SophosLabs Uncut ⋅ Sophos
Maze ransomware: extorting victims for 1 year and counting
Maze

2020-05-07 ⋅ FireEye Inc ⋅ Jeremy Kennelly, Joshua Shilko, Kimberly Goody
Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents
Maze

2020-05-07 ⋅ REDTEAM.PL ⋅ Adam Ziaja
Sodinokibi / REvil ransomware
Maze MimiKatz REvil

2020-05-04 ⋅ Blueliv ⋅ Blueliv Team
Escape from the Maze
Maze

2020-05-01 ⋅ CrowdStrike ⋅ Shaun Hurley
The Many Paths Through Maze
Maze

2020-04-28 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood

2020-04-18 ⋅ Bleeping Computer ⋅ Lawrence Abrams
IT services giant Cognizant suffers Maze Ransomware cyber attack
Maze

2020-04-18 ⋅ Cognizant ⋅ Cognizant
Cognizant Security Incident Update
Maze

2020-03-26 ⋅ McAfee ⋅ Alexandre Mundo
Ransomware Maze
Maze

2020-03-26 ⋅ TechCrunch ⋅ Zack Whittaker
Cyber insurer Chubb had data stolen in Maze ransomware attack
Maze

2020-03-25 ⋅ Bitdefender ⋅ Bitdefender Team
A Technical Look into Maze Ransomware
Maze

2020-03-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil

2020-03-12 ⋅ Cyberbit ⋅ Dor Neemani, Hod Gavriel, Omer Fishel
Lost in the Maze
Maze

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-03-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Ransomware Attackers Use Your Cloud Backups Against You
DoppelPaymer Maze

2020-02-20 ⋅ McAfee ⋅ Christiaan Beek, Darren Fitzpatrick, Eamonn Ryan
CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex

2020-01-30 ⋅ ⋅ ZATAZ ⋅ Damien Bancal
Cyber attaque à l’encontre des serveurs de Bouygues Construction
Maze

2020-01-29 ⋅ ANSSI ⋅ ANSSI
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam

2020-01-22 ⋅ Deloitte ⋅ Deloitte
Project Lurus
Maze

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD VILLAGE
Maze

2020-01-01 ⋅ Blackberry ⋅ Blackberry Research
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP

2019-12-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Maze Ransomware Releases Files Stolen from City of Pensacola
Maze

2019-12-18 ⋅ Github (albertzsigovits) ⋅ Albert Zsigovits
Maze ransomware
Maze

2019-12-17 ⋅ Cisco ⋅ Dave Liebenberg, JJ Cummings
Incident Response lessons from recent Maze ransomware attacks
Maze

2019-12-16 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up
Maze

2019-12-11 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand
Maze

2019-11-21 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Allied Universal Breached by Maze Ransomware, Stolen Data Leaked
Maze

2019-11-14 ⋅ Proofpoint ⋅ Bryan Campbell, Proofpoint Threat Insight Team
TA2101 plays government imposter to distribute malware to German, Italian, and US organizations
Maze TA2101

2019-11-08 ⋅ Twitter (@certbund) ⋅ CERT-Bund
Tweet on Spam Mails containing MAZE
Maze

2019-10-18 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Maze Ransomware Now Delivered by Spelevo Exploit Kit
Maze

2019-05-13 ⋅ ⋅ Amigo A
ChaCha Ransomware
Maze

2019-01-01 ⋅ CrowdStrike ⋅ CrowdStrike
Twisted Spider
Maze TA2101

Yara Rules

[TLP:WHITE] win_maze_auto (20241030 | Detects win.maze.)

rule win_maze_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.maze."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945f0 c745f000000000 8b45f0 83c410 5e 5f 5b }
            // n = 7, score = 2400
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   83c410               | add                 esp, 0x10
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx

        $sequence_1 = { 83ec10 8b4510 8b4d0c 8b5508 837d0800 8945ec 894de8 }
            // n = 7, score = 2400
            //   83ec10               | sub                 esp, 0x10
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx

        $sequence_2 = { 53 57 56 83ec10 8b4510 8b4d0c }
            // n = 6, score = 2400
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi
            //   83ec10               | sub                 esp, 0x10
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_3 = { 8945ec 894de8 8955e4 7509 }
            // n = 4, score = 2400
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx
            //   7509                 | jne                 0xb

        $sequence_4 = { 8955e4 7509 c745f000000000 eb17 60 8b7d08 }
            // n = 6, score = 2400
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx
            //   7509                 | jne                 0xb
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   eb17                 | jmp                 0x19
            //   60                   | pushal              
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]

        $sequence_5 = { 60 8b7d08 8b4d10 8b450c f3aa 61 8945f0 }
            // n = 7, score = 2400
            //   60                   | pushal              
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   61                   | popal               
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_6 = { 89c8 0fa4d10b c1f815 034c2418 130424 81e2ffff1f00 }
            // n = 6, score = 2300
            //   89c8                 | mov                 eax, ecx
            //   0fa4d10b             | shld                ecx, edx, 0xb
            //   c1f815               | sar                 eax, 0x15
            //   034c2418             | add                 ecx, dword ptr [esp + 0x18]
            //   130424               | adc                 eax, dword ptr [esp]
            //   81e2ffff1f00         | and                 edx, 0x1fffff

        $sequence_7 = { 89c8 0fa4f00e 0fa4ce17 31c6 }
            // n = 4, score = 2300
            //   89c8                 | mov                 eax, ecx
            //   0fa4f00e             | shld                eax, esi, 0xe
            //   0fa4ce17             | shld                esi, ecx, 0x17
            //   31c6                 | xor                 esi, eax

        $sequence_8 = { 41 41 41 41 41 41 41 }
            // n = 7, score = 1600
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx

        $sequence_9 = { 6afe ff35???????? ff35???????? 64a100000000 50 }
            // n = 5, score = 1400
            //   6afe                 | push                -2
            //   ff35????????         |                     
            //   ff35????????         |                     
            //   64a100000000         | mov                 eax, dword ptr fs:[0]
            //   50                   | push                eax

        $sequence_10 = { c745cc30114100 a1???????? 8d4dc8 33c1 }
            // n = 4, score = 100
            //   c745cc30114100       | mov                 dword ptr [ebp - 0x34], 0x411130
            //   a1????????           |                     
            //   8d4dc8               | lea                 ecx, [ebp - 0x38]
            //   33c1                 | xor                 eax, ecx

        $sequence_11 = { 8b840a40100000 c1e00a b904000000 6bd100 8b4d08 8b941140100000 }
            // n = 6, score = 100
            //   8b840a40100000       | mov                 eax, dword ptr [edx + ecx + 0x1040]
            //   c1e00a               | shl                 eax, 0xa
            //   b904000000           | mov                 ecx, 4
            //   6bd100               | imul                edx, ecx, 0
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b941140100000       | mov                 edx, dword ptr [ecx + edx + 0x1040]

        $sequence_12 = { 8d15c0654000 e8???????? 58 5a 5f 8b4dfc 33cd }
            // n = 7, score = 100
            //   8d15c0654000         | lea                 edx, [0x4065c0]
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   5a                   | pop                 edx
            //   5f                   | pop                 edi
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33cd                 | xor                 ecx, ebp

        $sequence_13 = { 89559c ba04000000 c1e203 8b4508 8a8c1000100000 }
            // n = 5, score = 100
            //   89559c               | mov                 dword ptr [ebp - 0x64], edx
            //   ba04000000           | mov                 edx, 4
            //   c1e203               | shl                 edx, 3
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8a8c1000100000       | mov                 cl, byte ptr [eax + edx + 0x1000]

        $sequence_14 = { 8b4d08 8b940140100000 c1ea10 889506feffff 0fb68507feffff 0fb68d06feffff 8b5508 }
            // n = 7, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b940140100000       | mov                 edx, dword ptr [ecx + eax + 0x1040]
            //   c1ea10               | shr                 edx, 0x10
            //   889506feffff         | mov                 byte ptr [ebp - 0x1fa], dl
            //   0fb68507feffff       | movzx               eax, byte ptr [ebp - 0x1f9]
            //   0fb68d06feffff       | movzx               ecx, byte ptr [ebp - 0x1fa]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_15 = { 8b0c88 8b4508 038c9000040000 898d80feffff 8b4dfc 8b5508 8b848a0c080000 }
            // n = 7, score = 100
            //   8b0c88               | mov                 ecx, dword ptr [eax + ecx*4]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   038c9000040000       | add                 ecx, dword ptr [eax + edx*4 + 0x400]
            //   898d80feffff         | mov                 dword ptr [ebp - 0x180], ecx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b848a0c080000       | mov                 eax, dword ptr [edx + ecx*4 + 0x80c]

        $sequence_16 = { 8b4d08 8b54813c c1e209 8b45fc 8b4d08 8b44813c }
            // n = 6, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b54813c             | mov                 edx, dword ptr [ecx + eax*4 + 0x3c]
            //   c1e209               | shl                 edx, 9
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b44813c             | mov                 eax, dword ptr [ecx + eax*4 + 0x3c]

        $sequence_17 = { 0bca 898dd0fdffff 8b85d8fdffff 3385d4fdffff 0385d0fdffff 8b4dfc }
            // n = 6, score = 100
            //   0bca                 | or                  ecx, edx
            //   898dd0fdffff         | mov                 dword ptr [ebp - 0x230], ecx
            //   8b85d8fdffff         | mov                 eax, dword ptr [ebp - 0x228]
            //   3385d4fdffff         | xor                 eax, dword ptr [ebp - 0x22c]
            //   0385d0fdffff         | add                 eax, dword ptr [ebp - 0x230]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

    condition:
        7 of them and filesize < 2318336
}

Download all Yara Rules

Maze Propose Change

References

Yara Rules

Maze