Information about Maze ransomware
Technical Articles ID:
KB92734
Last Modified: 6/23/2022
Last Modified: 6/23/2022
Information about Maze ransomware
Technical Articles ID:
KB92734
Last Modified: 6/23/2022 Environment
Microsoft Windows
Summary
We're receiving requests for information regarding the Maze ransomware. This article provides information about this ransomware and recommendations to help protect your environment. This article will be updated as more information becomes available. To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Maze ransomware was first discovered in May 2019. The ransomware is distributed by threat actor TA2101 in several ways. When it's deployed, the ransomware scans all folders and encrypts all files except itself and SolutionIMPORTANT: Make sure that all systems in your environment are up to date on all content updates. Coverage is being added when new indicators of compromise (IOCs) are discovered. So, it's important to make sure that you're on the latest release.
See the "Attachment" section of this article for an
To learn how to use an Extra.DAT, see the following article:
KB67602 - How to check in and deploy an Extra.DAT in ePolicy Orchestrator Trellix Labs has released a blog post with a detailed analysis of samples related to the Maze ransomware.
Example IOCs and Detection of Maze Ransomware:Trellix Labs has also released a Threat Advisory for the Maze ransomware at KB92415 - Threat Advisory: Ransomware-Maze. We recommend that you review KB91836 - Countermeasures for entry vector threats. This article addresses common entry vectors for several types of malware to help strengthen security posture. Also, KB89805 - How to respond to a ransomware infection highlights some measures to take when responding to a ransomware infection. Registry Key Accesses: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeText HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server subkey fDenyTSConnections NOTE: This key functions to enable or disable RDS. While analysts don't have a copy of Files Created: C:\Windows\Temp\wupd12.14.tmp DECRYPT-FILES.txt Hashes: MD5: a2d631fcb08a6c840c23a8f46f6892dd, Name: “Cure.doc” MD5: 2fbd10975ee65845a18af6b7488a5236, Name: “USPS_Delivery.doc” MD5: ee26e33725b14850b1776a67bd8f2d0a , Name: R19340003422.doc MD5: 2fbd10975ee65845a18af6b7488a5236 , Name: USPS_Delivery.doc MD5: a2d631fcb08a6c840c23a8f46f6892dd , Name: Cure.doc MD5: ad30987a53b1b0264d806805ce1a2561 , Name: VERDI.doc MD5: 53d5bdc6bd7904b44078cf80e239d42b , Name: VERDI.doc Second Stage: 3bfcba2dd05e1c75f86c008f4d245f62 Loaders - wordupd.tmp 21a563f958b73d453ad91e251b11855c 27c5ecbb94b84c315d56673a851b6cf9 0f841c6332c89eaa7cac14c9d5b1d35b f5ecda7dd8bb1c514f93c09cea8ae00d 0f841c6332c89eaa7cac14c9d5b1d35b a0c5b4adbcd9eb6de9d32537b16c423b Loaders - Other 5df79164b6d0661277f11691121b1d53 79d137d91be9819930eeb3876e4fbe79 65cf08ffaf12e47de8cd37098aac5b33 fba4cbb7167176990d5a8d24e9505f71 deebbea18401e8b5e83c410c6d3a8b4e 87239ce48fc8196a5ab66d8562f48f26 a3a3495ae2fc83479baeaf1878e1ea84 8205a1106ae91d0b0705992d61e84ab2 b4d6cb4e52bb525ebe43349076a240df a3386e5d833c8dc5dfbb772d1d27c7d1 d552be44a11d831e874e05cadafe04b6 bf2e43ff8542e73c1b27291e0df06afd e69a8eb94f65480980deaf1ff5a431a6 Extracted Malware: f04d404d84be66e64a584d425844b926 be537a66d01c67076c8491b05866c894 d2dda72ff2fbbb89bd871c5fc21ee96a Additional Hashes: 8205a1106ae91d0b0705992d61e84ab2 IP addresses (Dropper): hxxp://149.56.245.196/wordupd.tmp hxxps://104.168.198.208/wordupd.tmp hxxp://104.168.198.230/wordupd.tmp hxxp://104.168.201.47/wordupd.tmp Maze URLs: hxxp://aoacugmutagkwctu.onion/c3100a28b009e7a9 IP addresses: 91[.]218.114.77 91[.]218.114.4 91[.]218.114.11 91[.]218.114.31 91[.]218.114.79 91[.]218.114.25 91[.]218.114.26 91[.]218.114.38 91[.]218.114.32 AttachmentAffected Products |
|