{"id":2358,"date":"2020-04-19T16:40:18","date_gmt":"2020-04-19T16:40:18","guid":{"rendered":"https:\/\/www.varutra.com\/blog\/?p=2276"},"modified":"2022-12-02T15:14:49","modified_gmt":"2022-12-02T09:44:49","slug":"organizations-hit-by-maze-ransomware-attack","status":"publish","type":"post","link":"https:\/\/www.varutra.com\/varutravrt3\/organizations-hit-by-maze-ransomware-attack\/","title":{"rendered":"Organizations Hit by Maze Ransomware Attack !!"},"content":{"rendered":"

<\/p>\n

Introduction to Maze Ransomware –<\/strong><\/h3>\n

Maze ransomware is also known as ChaCha<\/strong>, is a ransomware that had been first discovered in the month of May 2019<\/strong>. Maze ransomware attack is a sophisticated attack and is deemed to be an multi staged cyber attack.<\/p>\n

The major goal of this ransomware attack is to encrypt all files present on the targeted system belonging to the victim’s organization and later demand ransom to recover the files.<\/p>\n

 <\/p>\n

Exploitation Techniques –<\/strong><\/h3>\n

Unlike rest of the ransomware attacks that typically uses social engineering and spam email campaigns to gain entry to a targeted system,\u00a0Maze ransomware attack uses exploit kits via drive-by downloads.<\/p>\n

An exploit kit or exploit pack is a type of toolkit cyber criminals use to attack vulnerabilities in systems so they can distribute malware or perform further malicious activities.<\/em><\/p>\n

Fallout<\/strong> is one of the exploit-kits used by Maze ransomware, that uses various exploits found on GitHub. Exploit kits\u00a0use PowerShell commands instead of the web browser to run its payload.<\/p>\n

Maze ransomware has been involved in spam emails sent by the Maze attack group by impersonating government websites. These attackers have emailed malicious Microsoft Word attachments to victims with macros embedded which if executed, executes a PowerShell script that downloads “Cobalt Strike<\/strong>” which is a penetration testing tool that has been repurposed by the attackers.<\/p>\n

 <\/p>\n

Attack in Action –<\/strong><\/h3>\n

Maze ransomware attack key generation and file encryption process is depicted below –<\/p>\n

\"Bitdefender<\/p>\n

Image Source: Bitdefender – A Technical Look into Maze Ransomware<\/em><\/p>\n

Post the malware finishes encrypting the files, it changes the desktop wallpaper to the image as shown below \u2013<\/p>\n

\"\"<\/p>\n

Image Source: McAfee.com Blogs – Maze Ransomware<\/em><\/p>\n

Recently,\u00a0one of the largest tech giant and consulting company, has confirmed that it was hit by a Maze ransomware attack. The security incident involved breach to the organization\u2019s internal systems which caused service disruptions for some of their clients.<\/p>\n

The attackers gained administrator credentials on the internal corporate network; they then deployed the ransomware using tools like PowerShell Empire. Before deploying the ransomware, the Maze operators had stolen unencrypted files before encrypting them.<\/p>\n

 <\/p>\n

Recommendations To Avoid Maze Ransomware <\/em>\u2013<\/strong><\/h3>\n
    \n
  1. Network administrators are advised to block the IOC’s as mentioned in the “IOC\u2019s” section of this blog.<\/li>\n
  2. Network administrators should consider disabling PowerShell execution or reduce the capabilities by using AppLocker or Windows Software Restriction Policy (SRP) (as applicable).<\/li>\n
  3. Organizations should educate employees in the organization to not to download any files from suspicious sources or click on suspicious links.<\/li>\n
  4. Organizations should keep and maintain a reliable and tested backup of data which can be restored in case of an emergency.<\/li>\n
  5. Security administrators should ensure encryption of sensitive files and data on all servers and systems.<\/li>\n
  6. Employees and users should exercise caution while visiting unknown links or webpages.<\/li>\n
  7. Keep AV signatures as well as the operating system and 3rd party application patches up-to-date.<\/li>\n<\/ol>\n

     <\/p>\n

    Indicators of Compromise (IOC’s) [22nd April 2020] \u2013<\/strong><\/h3>\n

    Hash Values (SHA256) \u2013<\/strong>
    \n04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e
    \n067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
    \n1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78
    \n153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57
    \n195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9
    \n30b72e83d66cbe9e724c8e2b21179aecd4bcf68b2ec7895616807df380afab54
    \n33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502
    \n4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d
    \n4218214f32f946a02b7a7bebe3059af3dd87bcd130c0469aeb21b58299e2ef9a
    \n5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
    \n58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806
    \n5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353
    \n6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13
    \n6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af
    \n822a264191230f753546407a823c6993e1a83a83a75fa36071a874318893afb8
    \n83f8ce81f71d6f0b1ddc6b4f3add7a5deef8367a29f59b564c9539d6653d1279
    \n877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1
    \n91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1
    \n9751ae55b105ad8ffe6fc5dc7aea60ad723b6df67a959aa2ea6f4fa640d20a71
    \n9845f553ae868cd3f8d8c3f8684d18f226de005ee6b52ad88b353228b788cf73
    \n9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1
    \n9be70b7fe15cd64aed5b1adc88c2d5270bce534d167c4a42d143ae0059c3da1c
    \nb30bb0f35a904f67d3ac0082c59770836cc415dc5b7225be04e8d7c79bde73be
    \nc040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc
    \nc11b964916457579a268a36e825857866680baf1830cd6e2d26d4e1e24dec91b
    \nc84b2c7ec20dd835ece13d5ae42b30e02a9e67cc13c831ae81d85b49518387b9
    \nea19736c8e89e871974aabdc0d52ad0f0948159d4cf41d2889f49448cbe5e705
    \necd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2
    \nF491fb72f106e879021b0bb1149c4678fb380c255d2ef11ac4e0897378793f49<\/p>\n

     <\/p>\n

    Indicators of Compromise (IOC’s) [19th April 2020] \u2013<\/strong><\/p>\n

    IP Addresses \u2013<\/strong>
    \n91[.]218[.]114[.]11
    \n91[.]218[.]114[.]25
    \n91[.]218[.]114[.]26
    \n91[.]218[.]114[.]31
    \n91[.]218[.]114[.]32
    \n91[.]218[.]114[.]37
    \n91[.]218[.]114[.]38
    \n91[.]218[.]114[.]4
    \n91[.]218[.]114[.]77
    \n91[.]218[.]114[.]79
    \n92[.]63[.]11[.]151
    \n92[.]63[.]32[.]2
    \n92[.]63[.]15[.]56
    \n92[.]63[.]17[.]245
    \n92[.]63[.]194[.]20
    \n92[.]63[.]29[.]137
    \n92[.]63[.]32[.]57
    \n92[.]63[.]15[.]8
    \n92[.]63[.]32[.]55
    \n92[.]63[.]32[.]52
    \n92[.]63[.]194[.]3
    \n92[.]63[.]15[.]6
    \n92[.]63[.]8[.]47
    \n92[.]63[.]37[.]100<\/p>\n

    URLs \u2013<\/strong>
    \nantowortensienicht@bzst-infomieren[.]icu
    \ninfo@agenziaentrate[.]icu
    \nantwortensienicht@bzstinform[.]icu
    \nuspsdelivery-service[.]com
    \nhxxp:\/\/198[.]50[.]168[.]67\/wordpack[.]tmp
    \nhxxp:\/\/conbase[.]top\/sys[.]bat
    \nhxxp:\/\/104[.]168[.]198[.]208\/wordupd[.]tmp
    \nhxxp:\/\/104[.]168[.]215[.]54\/wordupd[.]tmp
    \nhxxp:\/\/104[.]168[.]174[.]32\/wordupd_3.0.1[.]tmp
    \nhxxp:\/\/192[.]119[.]68[.]225\/wordupd1[.]tmp
    \nhxxp:\/\/108[.]174[.]199[.]10\/wordupd3[.]tmp
    \nhxxp:\/\/54[.]39[.]233[.]175\/wupd19823[.]tmp
    \nhxxp:\/\/54[.]39[.]233[.]131\/word1[.]tmp
    \nhxxp:\/\/104[.]168[.]198[.]230\/wordupd[.]tmp
    \nhxxp:\/\/92[.]63[.]17[.]245
    \nhxxp:\/\/92[.]63[.]37[.]100
    \nhxxp:\/\/92[.]63[.]29[.]137
    \nhxxp:\/\/92[.]63[.]8[.]47
    \nhxxp:\/\/92[.]63[.]194[.]3
    \nhxxp:\/\/92[.]63[.]11[.]151
    \nhxxp:\/\/92[.]63[.]32[.]57
    \nhxxp:\/\/92[.]63[.]15[.]8
    \nhxxp:\/\/92[.]63[.]32[.]55
    \nhxxp:\/\/92[.]63[.]194[.]20
    \nhxxp:\/\/92[.]63[.]15[.]6
    \nhxxp:\/\/92[.]63[.]32[.]52
    \nhxxp:\/\/92[.]63[.]15[.]56
    \nhxxp:\/\/92[.]63[.]32[.]2<\/p>\n

    Hash Values (SHA256) \u2013<\/strong>
    \n44991186a56b0d86581f2b9cc915e3af426a322d5c4f43a984e6ea38b81b7bed
    \ncfd8e3a47036c4eeeb318117c0c23e126aea95d1774dae37d5b6c3de02bdfc2a
    \n9f2139cc7c3fad7f133c26015ed3310981de26d7f1481355806f430f9c97e639
    \n5f1e512d9ab9b915b1fc925f546ed559cbfa49df53229e2f954a1416cf6f5ee4
    \n97043f23defd510607ff43201bb03b9916a23bd71b5bdf97db357e5026732506
    \nd617fd4b2d0824e1a7eb9693c6ec6e71447d501d24653a8e99face12136491a8
    \n7e3ab96d2628e0a9970802b47d0356dc9b99994d7f98492d4e70a5384891695a
    \ndee863ffa251717b8e56a96e2f9f0b41b09897d3c7cb2e8159fcb0ac0783611b
    \nb345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1
    \n5a900fd26a4ece38de5ca319b5893f96c7e9e2450dbac796c12f85b99238ec18
    \ne8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684<\/p>\n

    Associated Filenames \u2013<\/strong>
    \nDECRYPT-FILES[.]html
    \n%ProgramData%\\foo[.]dat<\/p>\n

    Associated Email Addresses \u2013<\/strong>
    \nfiledecryptor[@]nuke[.]africa<\/p>\n

     <\/p>\n

    Indicators of Compromise (IOC’s) [25th November 2019] \u2013<\/strong><\/h3>\n

    Hash Values (SHA256) \u2013<\/strong>
    \n44991186a56b0d86581f2b9cc915e3af426a322d5c4f43a984e6ea38b81b7bed
    \ncfd8e3a47036c4eeeb318117c0c23e126aea95d1774dae37d5b6c3de02bdfc2a
    \n9f2139cc7c3fad7f133c26015ed3310981de26d7f1481355806f430f9c97e639
    \n5f1e512d9ab9b915b1fc925f546ed559cbfa49df53229e2f954a1416cf6f5ee4
    \n97043f23defd510607ff43201bb03b9916a23bd71b5bdf97db357e5026732506
    \nd617fd4b2d0824e1a7eb9693c6ec6e71447d501d24653a8e99face12136491a8
    \n7e3ab96d2628e0a9970802b47d0356dc9b99994d7f98492d4e70a5384891695a<\/p>\n

    Associated Email Addresses<\/strong> \u2013<\/strong><\/p>\n

    antowortensienicht@bzst-infomieren[.]icu
    \ninfo@agenziaentrate[.]icu
    \nantwortensienicht@bzstinform[.]icu<\/p>\n

    Domains<\/strong> \u2013<\/strong><\/p>\n

    uspsdelivery-service[.]com
    \nhxxp:\/\/198[.]50[.]168[.]67\/wordpack[.]tmp
    \nhxxp:\/\/conbase[.]top\/sys[.]bat
    \nhxxp:\/\/104[.]168[.]198[.]208\/wordupd[.]tmp
    \nhxxp:\/\/104[.]168[.]215[.]54\/wordupd[.]tmp
    \nhxxp:\/\/104[.]168[.]174[.]32\/wordupd_3.0.1[.]tmp
    \nhxxp:\/\/192[.]119[.]68[.]225\/wordupd1[.]tmp
    \nhxxp:\/\/108[.]174[.]199[.]10\/wordupd3[.]tmp
    \nhxxp:\/\/54[.]39[.]233[.]175\/wupd19823[.]tmp
    \nhxxp:\/\/54[.]39[.]233[.]131\/word1[.]tmp
    \nhxxp:\/\/104[.]168[.]198[.]230\/wordupd[.]tmp<\/p>\n

     <\/p>\n

    References \u2013<\/strong><\/p>\n