Oct 28 2020

Maze Ransomware Is an Election Night Threat

Maze is an emerging, pernicious type of cyberattack that could create election chaos if state and local governments don’t take steps to shore up their defenses.

Imagine it: It’s election night, and the results are starting to trickle in. Then, just as the electoral picture is beginning to come into focus, large voting precincts in critical swing states begin to experience problems. Voter registration databases are inaccessible to election officials, and even the websites where results are posted come crashing down.

The culprit? It’s ransomware — specifically Maze ransomware.

This is a nightmare scenario, but one that Chase Cunningham, principal analyst and vice president serving security and risk professionals for Forrester, says could really happen…

“I think there should be a whole lot more worry about it,” says Cunningham. “I think we’re going to see a ransomware event in a major district, and it’s going to cause civil unrest. Of all the things that concern me about the election cycle, that is the one that keeps me awake at night.”

Maze ransomware, a new type of threat discovered in 2019, is a major point of concern. Here’s what state, county and local officials need to know about the threat, why voting systems are particularly vulnerable and what can be done to protect their systems before Nov. 3.

What Is Maze Ransomware?

Previously known to the cybersecurity community as “ChaCha,” Maze ransomware has become one of the most widespread types of ransomware, making it a top threat to organizations in virtually all sectors, including state and local government. According to Security Intelligence, Maze made up 12 percent of ransomware attacks observed in the first half of 2020.

Like all ransomware, Maze encrypts organizations’ files, with attackers going on to demand a ransom to recover the files from the infected systems. However, the distinctive characteristic of Maze is that attackers also threaten to publicly release an organization’s data via the internet if the victim doesn’t pay the ransom.

This makes Maze much more of a threat to many organizations, Cunningham says, since many have backup systems in place to restore their data.

“A lot of folks have gotten to the stage where they’re willing to live with ransomware infection,” he says, “but the moment they realize their sensitive data is going to go public, that becomes a much more concerning scenario. You pay one way or the other. You either pay to get your data back, or they take your most juicy information and put it on the internet.”

EXPLORE: How have states beefed up their election security efforts in the weeks before the election?

How Does Maze Ransomware Work?

Cybersecurity firm McAfee calls Maze “a complex piece of malware that uses some tricks to frustrate analysis right from the beginning.” The malware prepares some functions that appear to save memory addresses in global variables for later use, although Maze does not actually end up using these functions, McAfee notes. It’s still unclear whether these functions are residual code from the malware or simply a trick to mislead researchers.

Cunningham notes that Maze utilizes exploits or vulnerabilities that were known as early as 2018. “The way Maze works, it uses these exploits and looks for the vulnerabilities in an end user’s machine, tunnels into the network, finds more and more machines to infect, and becomes a self-propagating infection,” he says.

As with all ransomware, Maze has a number of common entry points, including phishing emails that trick users into clicking on malicious links. Cunningham notes that many organizations have been particularly vulnerable to this type of attack vector in 2020, since so many people are working from home.

“There are more people outside the bounds of the security perimeter, and the bad guys can go after more targets,” he says.

Voter Registration Databases Are a Target for Maze Ransomware

Much voter registration information is already public, meaning a release of this data isn’t much of a threat. Voter registration databases do typically contain confidential information — such as Social Security numbers — that election officials need to protect.

Still, Cunningham says, nefarious actors who use ransomware to attack registration databases are less likely to be motivated by a financial windfall and more likely to simply sow chaos. Because Maze is one of the most common types of ransomware, state and local officials need to be wary of its potential impact on elections.

Also, many voter files are hosted on Microsoft SQL Server or Oracle database software, and many end-user devices still run on operating systems that are no longer supported by their manufacturers. Additionally, state and local agencies often use remote access software programs that have been found to be vulnerable to ransomware threats.

READ MORE: Find out how mail-in voting is being secured.

What Government Should Know About Maze Ransomware Attacks

In a 2020 report on Maze ransomware, security firm Sophos advises organizations to keep up with their patching, watch their logs for suspicious activity, close any vulnerabilities related to remote management, install anti-ransomware tools and set up an email address to which staffers can forward suspicious messages they receive.

Similarly, Cunningham stresses good cyber hygiene for beating back Maze ransomware attacks.

“If you look at the things that make an organization vulnerable to ransomware — shared network connections, shared files, overly excessive access — those are mostly things you could solve with really good cyber hygiene,” he says. “That’s not to say you won’t get an infection. But it won’t be an infection that proliferates across the entire infrastructure.”

DIVE DEEP: How is CISA helping states with election security?

bestdesigns/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT