ATTACK TECHNIQUES – HANDS ON

Brought to you by Cynet's CyOps Center

Cynet's 24/7 MDR with the latest security updates and reports

Cynet Detection Report: Maze Ransomware

Written by: Eran Yosef, Ben Gold, and Asher Davitadi

EXECUTIVE SUMMARY

In late 2019, the hacker group TA-2101 had used Fallout and Spelevo exploit kits to distribute multiple malwares. The group used emails to target health care related environments around the US. The Maze Ransomware (also known as ChaCha Ransomware) uses RSA and ChaCha20 ciphers for its encryption process and is used was by the attackers to extort the victims for payment, communicating via email – the ransomware generates different payment amounts depending on what the endpoints was used for (home computer, server, or workstation.)

Cynet 360 detects the ransomware in multiple stages of the attack. The detection includes Maze’s binary being dumped on the disk, SSDeep similarity, execution of the ransomware on an endpoint and using Cynet’s heuristic detection to seek file renames and more.

CYNET DETECTION

Cynet 360 protects your environment against this type of attack. This type of attack is detected by Cynet on our protected environment alerting for malicious activities, using the following mechanisms.

Note that the action set for our environment is to alert only, to not interrupt the ransomwares flow, allowing Cynet to detect every step of Mazes Ransomware attack flow.

  • MALICIOUS BINARY
    1
    Fast Scan engine – This alert triggers when Cynet detects a file hash (SSDEEP) which is highly similar to a file hash that is flagged in our threat intelligence database as malicious. The idea behind this alert is to detect new variants of known malware.

 

  • Memory Pattern
    2
    Default Configuration – This alert is triggered when Cynet detects memory strings which are associated with Malware or with malicious files.

 

  • RANSOMWARE HEURISTIC
    3
    ADT – Advanced Detection Technology – This alert triggers when Cynet detects suspicious behavior which can be associated with Ransomware (such as changing file extensions to “.Lock”).

 

  • Malicious Process Command
    4
    ADT – Advanced Detection Technology – This alert triggers when Cynet detects a CMD process which executes a command that contains suspicious arguments or is associated with malicious patterns.  “VSSADMIN delete shadow /all” is an approach of ransomware in order to delete the shadow copies. Shadow Copy is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use. It is implemented as a Windows service called the Volume Shadow Copy service.

 

INVESTIGATION OVERVIEW

After execution, Maze ransomware renames the encrypts file with a random extension for each file:

Once a computer’s files have been encrypted and renamed, it changes the computer’s background and creates a ransom note at several directories – the ransom notes are named DECRYPT-FILES.html.

The note itself contains an email address to contact the cybercriminals who will provide a decryption tool once the victim sends them the Base64 code which also contains details of the infected host.

6

7

8

9 

RECOMMENDATIONS

  • Delete all malicious files indicated above.
  • Block traffic to malicious domain.
  • Use Cynet built-in remediation options to delete the file.
  • Use Cynet built-in remediation option to disconnect the HOST from the network.
  • Investigate incident according to organizations policy.
  • If necessary, format the endpoint.

Contact Cynet CyOps (Cynet Security Operations Center)

The Cynet CyOps team is available to clients 24/7 for assistance with any issues, questions, or comments related to Cynet 360. For additional information, you may contact us directly at:

Phone (US):  +1-347-474-0048

Phone (EU):  +44-203-290-9051

Phone (IL):    +972-72-336-9736

CyOps Email: [email protected]

Dive In

Ebook Free Download

Securing Your Organization’s Network on a Shoestring

How to protect your resource-constrained organization’s endpoints, networks, files and users without going bankrupt or losing sleep.

DOWNLOAD NOW
Ebook Free Download

Securing Your Organization’s Network on a Shoestring

How to protect your resource-constrained organization’s endpoints, networks, files and users without going bankrupt or losing sleep.

DOWNLOAD NOW
SOLUTION BRIEF

Automated Threat Discovery & Mitigation

Secure your all organizational assets with a single platform. Cynet 360 protects across all threat vectors, across all attack stages.

DOWNLOAD NOW
SOLUTION BRIEF

Automated Threat Discovery & Mitigation

Secure your all organizational assets with a single platform. Cynet 360 protects across all threat vectors, across all attack stages.

DOWNLOAD NOW
FREE TRIAL

Deploy Cynet in Minutes and Try it for 14 Days

Try Cynet’s easy-to-launch prevention, detection and response platform across your entire organization - free for 14 days!

START YOUR TRIAL