What Is Maze Ransomware?
Previously known to the cybersecurity community as “ChaCha,” Maze ransomware has become one of the most widespread types of ransomware, making it a top threat to organizations in virtually all sectors, including state and local government. According to Security Intelligence, Maze made up 12 percent of ransomware attacks observed in the first half of 2020.
Like all ransomware, Maze encrypts organizations’ files, with attackers going on to demand a ransom to recover the files from the infected systems. However, the distinctive characteristic of Maze is that attackers also threaten to publicly release an organization’s data via the internet if the victim doesn’t pay the ransom.
This makes Maze much more of a threat to many organizations, Cunningham says, since many have backup systems in place to restore their data.
“A lot of folks have gotten to the stage where they’re willing to live with ransomware infection,” he says, “but the moment they realize their sensitive data is going to go public, that becomes a much more concerning scenario. You pay one way or the other. You either pay to get your data back, or they take your most juicy information and put it on the internet.”
EXPLORE: How have states beefed up their election security efforts in the weeks before the election?
How Does Maze Ransomware Work?
Cybersecurity firm McAfee calls Maze “a complex piece of malware that uses some tricks to frustrate analysis right from the beginning.” The malware prepares some functions that appear to save memory addresses in global variables for later use, although Maze does not actually end up using these functions, McAfee notes. It’s still unclear whether these functions are residual code from the malware or simply a trick to mislead researchers.
Cunningham notes that Maze utilizes exploits or vulnerabilities that were known as early as 2018. “The way Maze works, it uses these exploits and looks for the vulnerabilities in an end user’s machine, tunnels into the network, finds more and more machines to infect, and becomes a self-propagating infection,” he says.
As with all ransomware, Maze has a number of common entry points, including phishing emails that trick users into clicking on malicious links. Cunningham notes that many organizations have been particularly vulnerable to this type of attack vector in 2020, since so many people are working from home.
“There are more people outside the bounds of the security perimeter, and the bad guys can go after more targets,” he says.