Search This Blog

Showing posts with label Maze Ransomware. Show all posts

Factories have become a major target for malware attacks

In the third quarter, the industry was attacked by various hacker groups - including RTM and TinyScouts, as well as ransomware operators. For example, according to Positive Technologies, the operators of the Maze ransomware program conducted a successful attack on Hoa Sen Group, the largest manufacturer of steel sheets in Vietnam. During the attack, personal data of employees, internal correspondence and other confidential information were stolen.

"This year, the vast majority of criminal groups switched to working with encryption programs since attackers realized that they can earn no less than in the case of a successful attack on a Bank, and technical execution is much easier," explained Anastasiya Tikhonova, head of APT Research at Group-IB.

According to her, more groups and partner programs have joined the "big game hunt”. 

"The size of the ransom has also increased significantly: cryptolocker operators often ask for several million dollars, and sometimes even several tens of millions. For example, the OldGremlin group, consisting of Russian-speaking hackers, actively attacks exclusively Russian companies: banks, industrial enterprises, medical organizations and software developers," explained Tikhonova.

The expert believes that one of the weakest links in the information security chain is still a person. "There are examples when an operator of a large industrial enterprise got bored, wanted to listen to music, and plugged a 3G modem directly into the USB port of the SCADA control and monitoring system.. And how many "trusted laptops” were there that employees brought from a business trip", concluded Tikhonova.

The expert believes that the danger of using Internet of things devices (IoT) is that it is problematic for advanced engineers to determine the fact of compromise. Target systems are assembled from a fairly large number of devices, and it is almost impossible to monitor and respond to possible security events and threats without additional solutions and human resources.

Cognizant Reveals Employees Data Compromised by Maze Ransomware


Leading IT services company, Cognizant was hit by a Maze Ransomware attack earlier in April this year that made headlines for its severity as the company confirmed undergoing a loss of $50-$70 million in their revenues. In the wake of the ransomware attack, Cognizant issued an email advisory alerting its clients to be extra secure by disconnecting themselves for as long as the incident persists.

Cognizant is one of the global leading IT services company headquartered in New Jersey (US). It started in 1994 as a service provider to Dun & Bradstreet companies worldwide; later in 1998, it became independent when D&B split into three, and one group of companies came under Cognizant corporation. Since then, the company has grown leaps and bounds making a name for its consulting and operation services in the industry.

The threat actors involved carried out the attack somewhere between 9-11 April, during this period of three days when the company was facing service disruptions, the operators mined a considerable amount of unencrypted data that included credit card details, tax identification numbers, social security numbers, passport data, and driving license information of the employees.

While giving further insights into the security incident, Cognizant said in its SEC filing, “Based on the investigation to date, we believe the attack principally impacted certain of our systems and data.”

“The attack resulted in unauthorized access to certain data and caused significant disruption to our business. This included the disabling of some of our systems and disruption caused by our taking certain other internal systems and networks offline as a precautionary measure."

“The attack compounded the challenges we face in enabling work-from-home arrangements during the COVID-19 pandemic and resulted in setbacks and delays to such efforts,” the filing read.

“The impact to clients and their responses to the security incident have varied,” the company added.

Conduent's European Operations Hit by Maze Ransomware, Data Stolen


Conduent, a business process outsourcing organization confirms that their European operations were crippled by a ransomware attack on Friday, in an immediate response to the attack the IT services giant was able to restore most of the affected systems within eight hours of the incident.

The security software company, Emsisoft and cybersecurity research and threat intelligence firm Bad Packets, expressed a large probability of Conduent been attacked by Maze ransomware.

What is a Maze ransomware attack?

The maze is a sophisticated strain of Windows ransomware that not only encrypts individual systems but also proliferate across the whole network of computers infecting each one of it. Typically, Maze attacks organizations around the globe and demand a ransom in cryptocurrency for a safe recovery of the data encrypted by the attackers.

It's the same variant of ransomware that attacked IT services company, Cognizant on April 18 – although the New-Jersey headquartered company chose not to share many details about the security incident, it said that its services were disrupted and internal security teams were taking active measures to contain the impact. Reportedly, some of the company's employees were locked out of the mail systems as a result of the attack.

In Conduent's case, the threat actors have posted online two zip files that appear to contain data regarding the company's services in Germany, as per the evaluations made by Emsisoft. The documents were published on a website that leaks Maze ransomware attacks.

The company's operations witnessed a disruption around 12:45 AM CET on Friday, May 29th. It was by 10.00 AM CET that morning – the systems were restored and functional again. Meanwhile, the ransomware was identified by the systems and was later addressed by their cybersecurity protocols.

While commenting on the matter, Cognizant CFO Karen McLoughlin said, "While we have restored the majority of our services and we are moving quickly to complete the investigation, it is likely that costs related to the ransomware attack will continue to negatively impact our financial results beyond Q2."

As per the statements released by Conduent to confirm the attack that happened last week, “Conduent's European operations experienced a service interruption on Friday, May 29, 2020."

"Our system identified ransomware, which was then addressed by our cybersecurity protocols. This interruption began at 12.45 AM CET on May 29th with systems mostly back in production again by 10.00 AM CET that morning, and all systems have since then been restored. This resulted in a partial interruption to the services that we provide to some clients. As our investigation continues, we have on-going internal and external security forensics and anti-virus teams reviewing and monitoring our European infrastructure"

However, Conduent did not answer the questions regarding the loss of the data and the researches carried out by two cybersecurity companies indicating the same.

Ransomwares evolving: Cybercriminals collaborating and auctioning data


Ransomware are soon becoming the most feared disease of cyber-world, started from simple encryption of the victim's computer and files, they have now evolved to stealing and selling data. But it's not limited to just that, now these stolen data will be auctioned off to the highest bidder if the ransom is not paid.


Sodinokibi/REvil group recently launched its auction website from its own blog. Their first debut was an auction of files retrieved (stolen) from a Canadian agriculture company whose ransom was not paid. The starting bid - $50,000 Monero cryptocurrency.

These auction websites are quite beneficial for these hackers, first by creating potential of monetization and second by putting additional pressure on the victims to pay up the ransom. Even governments and cybersecurity vendors spend millions for this kind of data, employing people to lurk the dark web for sensitive data on elite class. Now, they can directly buy this from these auction sites.

The REvil group was also rumored to sell files on pop singer Madonna which they hacked from entertainment law firm Grubman Shire Meiselas & Sacks.

Brett Callow, a threat analyst at Emsisoft says, “The auctions may be less about directly creating revenue than they are about upping the ante for future victims. Having their data published on an obscure site is bad enough, but the prospect of it being auctioned and sold to competitors or other criminal enterprises may chill companies to the bone and provide them with an additional incentive to meet the criminals’ demands.” 

He further thinks that soon other ransomware groups will follow REvil with their own auction schemes.

“REvil’s launch of [an] online auction was, in many ways, a logical and inevitable progression as ransomware groups constantly seek out new ways to monetize attacks and apply additional pressure to companies,” Callow said. “In the same way that other ransomware groups adopted [the Maze ransomware group’s] encrypt-and-exfiltrate strategy, it’s almost inevitable that other groups will also adopt REvil’s encrypt-exfiltrate-and-auction strategy.”

Joining Forces

Another tactic by these groups is joining forces, the idea of helping each other, and increasing their threat value. The infamous Maze ransomware has partnered with LockBit (not many financial details have been shared) and they even published LockBut's stolen data on their own data leak website.

Maze also announced that they are in talks with another ransomware group and may collaborate with a third ransomware operation.

Maze Ransomware and its Various Campaigns Continue to Threaten the Cyber World


Ever since this year began, the Maze ransomware has been hitting headlines. Recently researchers discovered more samples of Maze in numerous industries making it one of the major threats for the cyber-world.

Another form of the "ChaCha" ransomware, Maze surfaced in mid-2019 and has been wreaking havoc ever since, across continents and any organization it could get it hands-on.

Per sources, Maze is most usually dispensed by way of emails loaded with malicious Exel and Word attachments. But that’s not the only method of distribution.

According to reports, cyber-criminals also use “exploit kits” by the name of “Spelevo”. Sources mention that in previous cases it has been used to exploit Flash Player vulnerabilities, CVE-2018-15982 and CVE-2018-4878. Other exploits that Maze has abused include CVE-2018-8174 (Internet Explorer) and CVE-2018-1150 (Pulse VPN).

Maze ransomware initially tries to get a strong idea of the target device’s internal surroundings and begins to create a place for itself. Once that’s done it tries to access user privileges to carry lateral movements and kick start the file encryption throughout drives. But, before the encryption, files are exfiltrated so as to be used for future compulsion in any way possible.

If the security system of a device isn’t laden with necessary protective gauges it could possibly crash completely under the pressure of Maze ransomware. The infection could put sensitive information at large and incapacitate operations almost killing the company’s finances.

Per sources, Maze ransomware has shown its hold across industries like construction, education, energy, finance, government, healthcare, hospitality, law, life sciences, media and communications, pharma, technology, and telecommunications. McAfee, in March, made available a detailed report about the Maze ransomware.

According to a report, there’s an “Anti-Ransomware Protection module” which hunts ransomware related encryption-based activities. It allows users to keep track of the activities.

Per sources, lately, Maze ransomware was spotted compromising several IT service providers. It also set up a footing in another victim device’s network via insecure Remote Desktop Protocol or by using brute-force on the account of the local administrator.
Cloud backups too aren’t safe from the Maze ransomware because they are widely tracked on the vulnerable networks. With the login credentials, all backed-up data could be sent to the threat-actors via a server under their control.

The solution for any such occurrences is as repetitive as ever; stronger security mechanisms, better passwords especially remote systems with remote access possibilities and of course, heftier protection measures.



Maze Ransomware: What you need to know and How to protect from being hit by Maze!


Cognizant Technology Solutions Corp., an IT giant with 3000 employees was recently hit by a strain of sophisticated Windows Ransomware called Maze, encrypting its systems and threatening to make its data public if they don’t pay the supposed ransom.


This particular malware is proving to be quite lethal and is making headlines every week with their new victim. It has spread quite a disarray and chaos not only in the IT sector but even in other companies and firms which deal with sensitive user data. Maze, also known as “ChaCha Ransomware”, was first discovered in May 2019 and started attacking firms by encrypting files and blackmailing them by exposing their data to the public. It attacked Andrew Agencies in October then the city of Pensacola, US Insurance Company Chubb, the leading cable manufacturer Southwire Company (America), Medical Diagnostic Laboratories (MDLabs), Manitoba Law Firm (Canada) and now Cognizant.

How is it more Different and Lethal than other Ransomware? 

There have been other malware that encrypt files and demand ransom but what makes Maze more dangerous is that it encrypts the system and steal the data and export it to hackers or threaten to release it on their own website (yes, they have a website where they publish their new victim and their data) if the ransom is not paid thus it’s not just a malware attack but a fusion of ransomware attack and data breach.

So, the previous tactics like keeping backups and restoring backups and running again fail for Maze as they have your data and can use it maliciously.

How does it infect? 

This ransomware has been seen to use various ways to infect computers like emails, attachments, links, exploiting passwords, and even exploit kits like Fallout and Spelevo. After infiltrating the system it uses two different ciphers (RSA+ChaCha20) to encrypt files. When the file is successfully encrypted it adds more random extensions with 6-7 charts (For Example-“.rC0syGH”, “.DL1fZE”).

How to protect from Maze Ransomware?

Though Backups don’t do much with Maze, you should still deploy secure offsite backups, running up-to-date security measures and solutions and employee training in installing strong passwords and identifying unsecure and spam email attachments and files.

Most corporate use AppData to run the program and most malware like Maze, MedusaLocker, Sage exploit this and run files from here (AppData). Instead, if we install software from program files only administrators can install/copy files and since malware won’t have the license and permission, they won’t be able to run.

Even Chrome is installed into user AppData folder and when a user logs via AD into a computer, chrome gets installed in user AppData folder. Similarly, Microsoft Teams installs clients in AppData Local, instead, they should be installed from program files as then it would require admin Or user permissions and otherwise both chrome and Microsoft makes the system susceptible to malware.

Using software like “Ransomware Defender”, where AppData, User Profiles, and this kind of folders are blocked and blacklisted and provides for strong protection against ransomware like Maze.

Windows users can install ‘Ransomware Defender’ - Download from here:
https://www.cysecurity.co/ransom-defender-for-windows/

Double Extortion- A Ransomware Tactic That Leaves The Victims With No Choice!


In addition to all the reasons ransomware were already dangerous and compulsive, there’s another one that the recent operators are employing to scare the wits out of their targets.

Cyber-criminals now tend to be threatening their victims with publishing and compromising their stolen data if the ransom doesn’t get paid or any other conditions aren’t followed through with.

The tactic in question is referred to as “Double Extortion” and quite aptly so. Per sources, its usage emerged in the latter half of 2019 apparently in use, by the Sodinokibi, DopplePaymer and Clop ransomware families.

Double extortion is all about doubling the malicious impact a normal ransomware attack could create. So the cyber-criminals try and stack up all sorts of pressure on the victims in the form of leaked information on the dark web, etc.

They just want to make sure that the victims are left with no other option but to pay the ransom and meet all the conditions of the attack, no matter how outrageous they are.

The pattern of Double Extortion was tracked after a well-known security staffing company from America experienced the “Maze ransomware” attack and didn’t pay up the 300 Bitcoin which totaled up to $2.3 Million. Even after they were threatened that their stolen email data and domain name certificates would be used for impersonating the company!

Per sources, all of the threatening wasn’t without proof. The attackers released 700 MB of data which allegedly was only 10% of what they had wrested from the company! And what’s more, they HIKED the ransom demand by 50%!

According to sources, the Maze ransomware group has a website especially fabricated to release data of the disobliging organizations and parties that don’t accept their highly interesting “deals” in exchange for the data.

Reportedly, ranging from extra sensitive to averagely confidential data of dozens of companies and firms from all the industries has found its way to the Maze ransomware website.

Clearly impressed by it many other operators of similar intentions opened up their own versions of the above-mentioned website to carry forward their “business” of threatening companies for digital currency and whatnot! They sure seem to have a good sense of humor because per sources the blog names are the likes of “Happy Blog”.

Per reports, the Sodinokibi ransomware bullied to leak a complete database from the global currency exchange, Travelex. The company had to pay $2.3 Million worth Bitcoin to get the attackers to bring their company back online.


Per reports of the researchers, the attackers would always release some kind of proof that they have the extremely valuable data of the company, before publishing it, to give the company a fair chance at paying up the ransom demanded.

Usually, these attacks are a win-win for the attackers and a “lose-lose” for the victims because if they decide not to pay up they would be putting their company in a very dangerous situation with all the valuable data compromised online for anyone to exploit, they would have to report the breach and they would have to pay a considerably high fine to the data privacy regulator. And if they pay up, they would be losing a giant plop of money! And sadly the latter feels like a better option.

Hospitals happen to be the organizations that are the most vulnerable to these attacks because of all the sensitive health-related data their databases are jam-packed with on any other day and additionally due to the Coronavirus outbreak.

The organizations could always follow the most widely adapted multi-layered security measures for keeping their data safe obviously including updating systems, keeping backups and keeping data protected in any way they possibly can.

The most conscientious gangs of the many ransomware families, per sources, have promised to not attack hospitals amidst this pandemic. But that doesn’t stop the other mal-actors from employing cyber-attacks.

The cyber-crime forecasters have mentioned that the year 2020 would be quite a difficult year for these organizations what with the lock-down and no easier (malicious) way to earn money, apparently? Food for thought!


Law Firms in Manitoba at a virtual standstill after being attacked by Maze ransomware!


Two law firms of Manitoba Law society have been hit by ransomware named Maze locking up their whole system and even their cloud backups in demand of a large sum of ransom.

 “At this point, we do not know when or if they will ever regain complete access to their kidnapped data,” the Law Society of Manitoba said in a statement. 

The law firms have been asked to give "an enormous ransom" (exact numbers not specified by the firms) if they want their data and system back but for a law firm, the greatest danger lies in unlawful access to all that sensitive data of hundreds of cases. The ransomware Maze is popular for finding sensitive data and use it to blackmail their victim by threatening to release it to the public and for a law firm it could lead to grave consequences for their clients.

Though they are not exactly sure how the computer system was infected by the malware, the firm suspects it was one of the employees that clicked on a link that downloaded the malicious file.

 "It is suspected that someone clicked on a link or an attachment in an email that was infected with a virus which in turn infected the firms' entire systems," read a notice on the society's website.

Kristin Dangerfield, the chief executive officer of the Law Society of Manitoba says that this isn't the first time they are attacked but coming down with a problem like this during COVID-19 lock-down creates quite some issues in resolving this attack. "At any time this would be a challenge, but in this environment, even more so," Dangerfield said.

She neither commented on naming the attacked firms nor she said if they would pay the ransom. "It would be inappropriate for us to do that and we expect the firms to notify their clients directly," Dangerfield said.

These types of attacks are quite common in law firms as they contain important and sensitive data of their client that could be devastating if released in public. It's better to invest in proper security measures and employee training to protect their data then to spend in finding solutions later.