Information about Maze ransomware

Technical Articles ID: KB92734
Last Modified: 6/23/2022

Environment

Microsoft Windows

Summary

We're receiving requests for information regarding the Maze ransomware. This article provides information about this ransomware and recommendations to help protect your environment.

This article will be updated as more information becomes available.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Maze ransomware was first discovered in May 2019. The ransomware is distributed by threat actor TA2101 in several ways. When it's deployed, the ransomware scans all folders and encrypts all files except itself and .ini file extensions, and creates a ransom note in each folder. The ransom amount isn't stated in the ransom note. Victims are directed to email the threat actor at one of two email addresses. Currently, there's no known publicly available decryptor.

Solution

IMPORTANT: Make sure that all systems in your environment are up to date on all content updates. Coverage is being added when new indicators of compromise (IOCs) are discovered. So, it's important to make sure that you're on the latest release.

See the "Attachment" section of this article for an Extra.dat that you can use while detection is being added to the daily production DATs. To find the latest content versions, see the following:

To learn how to use an Extra.DAT, see the following article:
KB67602 - How to check in and deploy an Extra.DAT in ePolicy Orchestrator

Trellix Labs has released a blog post with a detailed analysis of samples related to the Maze ransomware.

Trellix Labs has also released a Threat Advisory for the Maze ransomware at KB92415 - Threat Advisory: Ransomware-Maze.

We recommend that you review KB91836 - Countermeasures for entry vector threats. This article addresses common entry vectors for several types of malware to help strengthen security posture.

Also, KB89805 - How to respond to a ransomware infection highlights some measures to take when responding to a ransomware infection.

Example IOCs and Detection of Maze Ransomware:

Registry Key Accesses:
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeCaption
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeText
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server subkey fDenyTSConnections

NOTE: This key functions to enable or disable RDS. While analysts don't have a copy of windows.bat, this key is likely the one modified to perform the functionality identified.

Files Created:
C:\Windows\Temp\ered.tmp
C:\Windows\Temp\wupd12.14.tmp
DECRYPT-FILES.txt

Hashes:
Dropper
MD5: a2d631fcb08a6c840c23a8f46f6892dd, Name: “Cure.doc”
MD5: 2fbd10975ee65845a18af6b7488a5236, Name: “USPS_Delivery.doc”
MD5: ee26e33725b14850b1776a67bd8f2d0a , Name: R19340003422.doc
MD5: 2fbd10975ee65845a18af6b7488a5236 , Name: USPS_Delivery.doc
MD5: a2d631fcb08a6c840c23a8f46f6892dd , Name: Cure.doc
MD5: ad30987a53b1b0264d806805ce1a2561 , Name: VERDI.doc
MD5: 53d5bdc6bd7904b44078cf80e239d42b , Name: VERDI.doc

Second Stage:
eset.exe
3bfcba2dd05e1c75f86c008f4d245f62

Loaders - wordupd.tmp
21a563f958b73d453ad91e251b11855c
27c5ecbb94b84c315d56673a851b6cf9
0f841c6332c89eaa7cac14c9d5b1d35b
f5ecda7dd8bb1c514f93c09cea8ae00d
0f841c6332c89eaa7cac14c9d5b1d35b
a0c5b4adbcd9eb6de9d32537b16c423b

Loaders - Other
b40a9eda37493425782bda4a3d9dad58
5df79164b6d0661277f11691121b1d53
79d137d91be9819930eeb3876e4fbe79
65cf08ffaf12e47de8cd37098aac5b33
fba4cbb7167176990d5a8d24e9505f71
deebbea18401e8b5e83c410c6d3a8b4e
87239ce48fc8196a5ab66d8562f48f26
a3a3495ae2fc83479baeaf1878e1ea84
8205a1106ae91d0b0705992d61e84ab2
b4d6cb4e52bb525ebe43349076a240df
a3386e5d833c8dc5dfbb772d1d27c7d1
d552be44a11d831e874e05cadafe04b6
bf2e43ff8542e73c1b27291e0df06afd
e69a8eb94f65480980deaf1ff5a431a6

Extracted Malware:
5774f35d180c0702741a46d98190ff37
f04d404d84be66e64a584d425844b926
be537a66d01c67076c8491b05866c894
d2dda72ff2fbbb89bd871c5fc21ee96a

Additional Hashes:
910aa49813ee4cc7e4fa0074db5e454a
8205a1106ae91d0b0705992d61e84ab2

IP addresses (Dropper):
hxxp://104.168.215.54/wordupd.tmp
hxxp://149.56.245.196/wordupd.tmp
hxxps://104.168.198.208/wordupd.tmp
hxxp://104.168.198.230/wordupd.tmp
hxxp://104.168.201.47/wordupd.tmp

Maze URLs:
hxxps://mazedecrypt.top/c3100a28b009e7a9
hxxp://aoacugmutagkwctu.onion/c3100a28b009e7a9

IP addresses:
91[.]218.114.37
91[.]218.114.77
91[.]218.114.4
91[.]218.114.11
91[.]218.114.31
91[.]218.114.79
91[.]218.114.25
91[.]218.114.26
91[.]218.114.38
91[.]218.114.32

Attachment

Maze_EXTRA.zip
5K • < 1 minute @ broadband

Affected Products

Best Practices
Threat Prevention and Removal

Knowledge Center

Information about Maze ransomware

Environment

Summary

Solution

Attachment

Affected Products

Title

Title

Knowledge Center

Information about Maze ransomware

Environment

Summary

Solution

Attachment

Affected Products

Choose your region

Title

Title