While ransomware has been around for decades, it only became famous with the 2017 WannaCry ransomware attack. Other cybercriminals, noting the success of WannaCry have developed their own ransomware variants and launched their own attack campaigns. Maze is one of these new ransomware variants. It has been around for several years, but it made history by pioneering the “double extortion” ransom in 2019.
In the past, ransomware operated on a simple business model: encrypt peoples’ files and then demand a ransom if they want to regain access. However, this approach only works if the target pays the ransom. Some ransomware victims were able to restore from backups, while others accepted the loss and took a “don’t feed the animals” approach to ransomware operators.
Due to falling revenues, the Maze ransomware group decided to modify their strategy, combining a traditional ransomware attack and a data breach within a single campaign. They would gain access to an organization’s network, steal a great deal of sensitive information, then encrypt everything. If the target refused to pay the ransom, the Maze group would threaten to publicly expose their stolen data or sell it to the highest bidder.
This approach increased Maze’s probability of success because publication of stolen data may cause an organization to lose competitive advantage (if intellectual property and trade secrets are revealed to a competitor) and potentially run afoul of data protection regulations (due to the loss of customer data protected by the GDPR, CCPA, etc.).
At a high level, Maze is not dissimilar from any other ransomware variant. All of them take advantage of the fact that the encryption algorithms in use today are unbreakable with modern technology. If data is encrypted, only the person with the corresponding decryption key (in this case, the Maze group) can access the original data. As a result, all ransomware needs to do is encrypt files, delete the originals and any backups, and ensure that the only copy of the encryption key is sent to the ransomware operators.
Despite this, not all ransomware variants and campaigns are identical. One way in which ransomware variants differ is in their choice of initial infection vector and how they spread through the network. Maze typically gains access via phishing emails, then uses a variety of different techniques to move laterally through the network, enabling it to infect more machines.
Finally, Maze differed from other ransomware in its pioneering of the aforementioned “double extortion” strategy. While other ransomware groups have followed in their footsteps, the Maze group was the first to steal data from their target machines, then encrypt the data.
In the past, ransomware focused on denying users access to their files. This was accomplished by encrypting the files and then demanding a ransom for the decryption key. With these original ransomware variants, a number of options existed to protect against them. Simply having a secure data backup, from which the encrypted files could be restored after the attack was complete, was enough to mitigate the impacts of the malware.
With Maze, restoring from a backup is not enough. As part of its attack, Maze steals data that the cybercriminal threatens to release if the ransom goes unpaid. To eliminate the risk of a data breach and the associated regulatory and legal penalties, an organization needs to detect and block the Maze ransomware attack before it can do its damage.
Maze is a sophisticated ransomware variant; however, that does not mean that it is impossible to detect and defeat. Check Point has published a video demonstrating how Maze can be detected by threat hunting using the MITRE ATT&CK framework.
Check Point’s SandBlast product line is ideally suited to protecting organizations against Maze ransomware attacks. Try out Check Point’s endpoint protection for yourself with a free trial of SandBlast Agent. At the network level, check out Maze ransomware protection with a demonstration of SandBlast Network.