Written by: Eran Yosef, Ben Gold, and Asher Davitadi
In late 2019, the hacker group TA-2101 had used Fallout and Spelevo exploit kits to distribute multiple malwares. The group used emails to target health care related environments around the US. The Maze Ransomware (also known as ChaCha Ransomware) uses RSA and ChaCha20 ciphers for its encryption process and is used was by the attackers to extort the victims for payment, communicating via email – the ransomware generates different payment amounts depending on what the endpoints was used for (home computer, server, or workstation.)
Cynet 360 detects the ransomware in multiple stages of the attack. The detection includes Maze’s binary being dumped on the disk, SSDeep similarity, execution of the ransomware on an endpoint and using Cynet’s heuristic detection to seek file renames and more.
Cynet 360 protects your environment against this type of attack. This type of attack is detected by Cynet on our protected environment alerting for malicious activities, using the following mechanisms.
Note that the action set for our environment is to alert only, to not interrupt the ransomwares flow, allowing Cynet to detect every step of Mazes Ransomware attack flow.
Fast Scan engine – This alert triggers when Cynet detects a file hash (SSDEEP) which is highly similar to a file hash that is flagged in our threat intelligence database as malicious. The idea behind this alert is to detect new variants of known malware.
Default Configuration – This alert is triggered when Cynet detects memory strings which are associated with Malware or with malicious files.
ADT – Advanced Detection Technology – This alert triggers when Cynet detects suspicious behavior which can be associated with Ransomware (such as changing file extensions to “.Lock”).
Malicious Process Command
ADT – Advanced Detection Technology – This alert triggers when Cynet detects a CMD process which executes a command that contains suspicious arguments or is associated with malicious patterns. “VSSADMIN delete shadow /all” is an approach of ransomware in order to delete the shadow copies. Shadow Copy is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use. It is implemented as a Windows service called the Volume Shadow Copy service.
After execution, Maze ransomware renames the encrypts file with a random extension for each file:
Once a computer’s files have been encrypted and renamed, it changes the computer’s background and creates a ransom note at several directories – the ransom notes are named DECRYPT-FILES.html.
The note itself contains an email address to contact the cybercriminals who will provide a decryption tool once the victim sends them the Base64 code which also contains details of the infected host.
Delete all malicious files indicated above.
Block traffic to malicious domain.
Use Cynet built-in remediation options to delete the file.
Use Cynet built-in remediation option to disconnect the HOST from the network.
Investigate incident according to organizations policy.