Introduction

One of the many recurring themes in cybersecurity echoes one of the great mottos in
life of “the only thing constant is change.” Ransomware is no exception to this rule, and
this is best demonstrated by new types of ransomware which are redefining what this
category of malware is capable of. Attackers leverage these new ransomware types to
push their attacks further with devastating results. 
This article will go into detail about the Maze ransomware and will explore what Maze is,
how Maze is different from other types of ransomware and how Maze works. It will also
highlight some real-world examples of this malware in the wild. Those researching
malware will find this article to be the go-to guide to Maze that they’re searching for.
Interested in another course? Check out our course page. We offer a wide range of
high-quality courses spread across 15 vendors and 80+ certifications.
What is Maze?
Maze, also known as ChaCha, is ransomware that was first observed in May 2019. At
first, Maze was a rather unremarkable instance of ransomware that was involved in
extortion campaigns. Beginning around October of 2019, Maze became more aggressive
and more public. 
Going a step beyond nearly any malware ever seen, in November of 2019 Maze began
publicly outing their campaign victims by posting the names of the companies that have
not complied with their ransom demands. Attack campaigns employing Maze typically
pose as legitimate government agencies and security vendors to steal and encrypt data
to then attempt to extort the data owner. 
Maze is used as a part of a multi-pronged cyberattack. Generally speaking, Maze is
observed appearing in the second or third step of these campaigns and is less likely to
be used as an initial access technique. 
What makes Maze different from other
ransomware?
If anything can be said about cyberattacks in the last five years or so, ransomware has
really moved into the forefront of important attacks. It ramped up in frequency during
2016. You would be hard-pressed to read the news and not hear of some bold
ransomware campaign bringing a targeted company to its proverbial knees.
With this said, another glaring observation is the seeming one-dimensional nature of
ransomware attacks. Until now, most ransomware attacks have only encrypted data
local to the victim’s targeted environment. While this can indeed be a scourge for
organizations that are not the most information security-savvy, it should be noted that
many ransomware victims have been successful in decrypting their data without giving
in to the attack group’s ransom demands. 
Maze’s functionality far exceeds this traditional ransomware approach by using a 1-2-3
combination of:
1. Encrypt
2. Exfiltrate
3. Extort
When comparing Maze to most of the other ransomware out there, the clear difference
is its abilities to both exfiltrate the encrypted data and extort the victim. The end result
of this is the ability to hit victims with what has been described as a ransomware
“double whammy” — whereas most ransomware mere encrypts local victim data, Maze
can apply more pressure to victims by threatening to leak sensitive data. 
This threat should be taken seriously, as Trend Micro researchers have noted that
attack groups using Maze have made good on this threat and indeed released sensitive
victim information to the public via “name and shame” websites. Occurring in mid-
December of 2019, this leaking entailed posting documents and raw databases
belonging to noncompliant victims.
How does Maze work?
“Work” is a bit subjective here, as different malware types do different things —
depending on their code — to tell them what to do. Since ransomware only needs to
gain entry to a system to work, gaining this entry is far more than the proverbial “half
the battle” and more like the battle itself.
Unlike other ransomware that typically uses social engineering and spam email
campaigns to gain entry to a targeted system, Maze uses exploit kits via drive-by
downloads. As you know, exploit kits are a compilation of known software vulnerabilities
that, taken as a whole, serve as an all-in-one exploit tool kit. 
Don’t get me wrong here — I know that exploit kits are not new in any sense. However,
in the realm of ransomware, exploit kits are unheard of aside from Maze. 
One of the exploit kits Maze uses is called Fallout, which uses various exploits found on
GitHub. One of these vulnerabilities is a Flash Player exploit, CVE-2018-15982. Fallout is
a relatively new exploit kit that uses PowerShell instead of the web browser to run its
payload. Maze has also been observed using Spelevo, another exploit kit.
Real-world examples of Maze
Although relatively new, there are quite a few real-world examples of Maze worth
mentioning. Below are two notable ones.
Southwire
This Georgia-based wire and cable manufacturer was attacked by Maze in December
2019. After five days of not complying with the $6 million ransom, the Maze attack
group published the data that it encrypted and stole from the victim. Maze was used to
steal 120GB of data from Southwire as well as encrypting 878 devices.
City of Pensacola, Florida
December was a busy month for the Maze attack group — one of its largest campaigns
in terms of scale and, ultimately, effect was against the city of Pensacola, Florida. Maze
claimed to have compromised the city’s finance, treasury, executive, risk management,
legal, housing and human resources departments. 
For some unknown reason, the Maze group did not make good on its threat to publish
sensitive information and posted the list of leak data and hosts to serve as proof of the
attack. This is beyond uncommon for a ransomware attack.

Stay home, stay safe

Infosec’s education platforms were built from the start to be flexible and offer uninterrupted service.
For more than 5 years, Infosec courses have been online — helping remote students and
employees meet their career goals and stay safe wherever they are. 
 
Learn more
Conclusion
Ransomware has been around for a few years now and we are starting to see instances
of this type of malware that break the mold and forge a new direction. Maze differs from
other ransomware in many significant ways — from its capabilities to the heart of the
ransomware attack itself, gaining entry. 
It will be interesting to see if other ransomware begins to use exploit kits as infection
vectors like Maze or if this practice remains the exception to the rule. 
 

Sources
1. Maze Ransomware Exploiting Exploit Kits, Security Boulevard
2. Maze Ransomware Update: Extorting and Exposing Victims, Sentinel Labs
3. MAZE Relaunches “Name and Shame” Website, Infosecurity Magazine
4. Ransomware Victim Southwire Sues Maze Operators , Dark Reading