It’s been a year since the Maze ransomware gang began its rise to notoriety. When these are not found, the malware tries moving laterally in the same network segment using LLMNR/NBT-NS Poisoning to steal network packets for later NTLM cracking and/or NTLM relay attacks.
Sophos releases analysis on Maze ransomware Adelle Geronimo Just now September 20, 2020 Sophos has published a report, “ Maze Attackers Adopt Ragnar Locker Virtual Machine Technique ,” which shows how attackers tried three different ways to execute Maze ransomware during a single attack while demanding a $15 million ransom. You can find another great talk on this subject by the BloodHound team at SpecterOps delivered last year at BlackHat. Brute Force Attacks: Denying the Attacker, Not the User, What State-Sponsored Attacks Can Teach Us About Conditional Access, A Simplified Approach to Network Segmentation, 10 Things You Need to Know About Kerberos. Read our digital magazine providing expert-authored stories, information, unique insights, and advice on cyber security. Immediately following the exfiltration of sensitive data, the actors began deployment of MAZE ransomware to hosts across the network. Both the wallpaper and the voice message are stored in text forms within the binary. Ransomware-Maze February 18, 2020 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent malware. But the main platform used to promote the Maze brand is the Maze team’s websites—one specifically for its victims, and another to communicate with the world at large (and encourage victims publicly to pay up). At this point, the attacker can easily compromise any machine in the network. It can be an open RDP server or a Citrix/VPN server. start wmic /node:"
And in March, the Maze team announced that it would stop attacks on medical organizations until the COVID-19 pandemic “stabilizes.”.
As with most ransomware, it deletes shadow copies with the Windows Management Instrumentation command line utility WMIC.exe. taskkill /im rnav.exe /f } In addition to using the IsDebuggerPresent API and PEB.BeingDebuggedFlag check , the Maze main binary contains hardcoded hashes of the names for known analysis processes, including procmon.exe, procmon64.exe, x32dbg.exe, x64dbg.exe, ollydbg.exe, procexp.exe, and procexp64.exe.