Maze ransomware both encrypts and steals confidential data, putting even more pressure on its victims to pay the ransom.
Maze is a strain of ransomware* that has been impacting organizations since 2019. Although one main group created Maze, multiple attackers have used Maze for extortion purposes.
In addition to encrypting data, most operators of Maze also copy the data they encrypt and threaten to leak it unless the ransom is paid. A Maze ransomware infection combines the negative effects of ransomware (lost data, reduced productivity) with those of a data breach (data leaks, privacy violations), making it of particular concern for businesses.
*Ransomware is malware that locks up files and data by encrypting them. Victims are told they will only get their files and data back if they pay the attacker a ransom.
When Maze ransomware first came into use, it was mostly distributed through malicious email attachments. More recent attacks use other methods to compromise a network before dropping the ransomware payload. For instance, many Maze ransomware attacks have used stolen or guessed Remote Desktop Protocol (RDP) credentials (username and password combinations) to infiltrate a network. Other attacks have started by compromising a vulnerable virtual private network (VPN) server.
Once Maze is inside a network, it takes the following steps:
To "exfiltrate" means to move data out of a trusted area without authorization. Typically, Maze exfiltrates data by connecting with a file transfer protocol (FTP) server and copying files and data to this server in addition to encrypting it. Attackers have used the PowerShell and WinSCP utilities to perform these actions.
In some cases, exfiltrated data has been transferred to a cloud file sharing service instead of directly to an FTP server.
For several years, the ransomware group that created Maze operated a website on the dark web. They posted stolen data and documents on the website as proof of their past attacks and included social media links for sharing the stolen data.
In a post on their website in November 2020, the Maze group claimed they were shutting down operations. However, as is often the case with ransomware groups, they may still be active under a different name.
The Cognizant Maze ransomware attack was a major incident that took place in April 2020. Cognizant is an IT services provider for companies around the world. The attack compromised Cognizant's network and may have also resulted in the theft of confidential data belonging to their clients (Cognizant did not disclose which of their clients were affected by the attack). It took several weeks for Cognizant to fully restore its services, which slowed or stopped business processes for many of its clients during that time.
Cognizant estimated losses of $50 million to $70 million due to the attack.
Other Maze victims include WorldNet Telecommunications, Columbus Metro Federal Credit Union, the American Osteopathic Association, and VT San Antonio Aerospace.
These steps can make a Maze ransomware attack far less likely:
Cloudflare One is a Zero Trust network-as-a-service (NaaS) platform that securely connects remote users, offices, and data centers. Learn more about Cloudflare One and how it counteracts ransomware attacks.