Decryption tool for the Maze ransomware

Ransomware is a type of malicious software cyber actors use to deny access to systems or data. The malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted. Ransomware can be delivered in various ways, most commonly via spam/phishing emails containing a malicious document. Other forms of infection include exploit kits, trojans and the use of exploits to gain unauthorized access to an infected device.

What is Maze Ransomware?

Maze is a file encrypting virus and also a successor to ChaCha. It uses a sophisticated RSA and ChaCha20 cipher to lock up data, and appends a string of random 4-7 characters at the end of each file, also using a marker within its structure –0x66116166. Maze ransomware is often delivered via emails or exploit kits such as Fallout and Spelevo.

Proofpoint researchers recently detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, and also targeting organizations in the United States using the IcedID banking Trojan.

When the Maze Ransomware payload is installed and executed, it will start scanning for interesting files (e.g., documents, photos, databases, and more) to encrypt them using RSA encryption and the ChaCha20 stream cipher, and append several extensions. The ransomware will also create a ransom note named DECRYPT-FILES.txt in each of the scanned folders, instructing the victims to open a website hosted on the TOR network for payment instructions to purchase a private key to decrypt the files.Victims are also provided with an online decryption interface which allows them to decrypt three of their now locked files as proof that decryption is indeed possible.

Indicator of Compromise (IOC)

The indicator of compromise (IOC) for Maze Ransomware sourced from various public & security forums are

Hashes:

4e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e
067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78
153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57
195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9
30b72e83d66cbe9e724c8e2b21179aecd4bcf68b2ec7895616807df380afab54
33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502
4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d
5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806
5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353
6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af
822a264191230f753546407a823c6993e1a83a83a75fa36071a874318893afb8
83f8ce81f71d6f0b1ddc6b4f3add7a5deef8367a29f59b564c9539d6653d1279
877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1
91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1
9751ae55b105ad8ffe6fc5dc7aea60ad723b6df67a959aa2ea6f4fa640d20a71
9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1
9be70b7fe15cd64aed5b1adc88c2d5270bce534d167c4a42d143ae0059c3da1c
b30bb0f35a904f67d3ac0082c59770836cc415dc5b7225be04e8d7c79bde73be
c040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc
c11b964916457579a268a36e825857866680baf1830cd6e2d26d4e1e24dec91b
ea19736c8e89e871974aabdc0d52ad0f0948159d4cf41d2889f49448cbe5e705
ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2
F491fb72f106e879021b0bb1149c4678fb380c255d2ef11ac4e0897378793f49
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f

Payload

hxxp://104.168.198.208/wordupd.tmp
hxxp://104.168.215.54/wordupd.tmp
hxxp://104.168.174.32/wordupd_3.0.1.tmp

IP Address

91.218.114[.]4
5.199.167[.]188
185.147.15[.]22
91.218.114[.]11
91.218.114[.]25
91.218.114[.]26
91.218.114[.]31
91.218.114[.]32
91.218.114[.]37
91.218.114[.]38
91.218.114[.]77
91.218.114[.]79

Protection from Maze Ransomware

Backup, Backup, BACKUP! This absolutely the most important business process for any organizations that needs to done to protect their data from being encrypted. The reality is that if business have up-to-date backups, ransomware becomes more of a nuisance than a threat. This is because enterprise can simply remove the infection and then restore the data from backups.

Install and configure security policies and enable the indicator of compromises for the antivirus and malware defense solutions to detect any ransomware behaviors

Maintain the patches up-to-date and leave no vulnerabilities on the critical business assets. Not just the operating systems, exploit kits also target vulnerabilities in commonly used applications such as Java, Adobe Flash player, and others. Ensure the vulnerability and patch management process are adhered regularly.

Most often the ransomware distribution happens via spam and spear phishing email techniques. Make sure the users and system administrators’s mailbox are protected with anti-spam controls and advanced email security protection solutions.

Enable multi-factor authentication mechanisms to access critical data and information systems and adopt ‘zero trust‘ security model to safeguard the assets across ‘defense in depth layers’

Unfortunately, it’s not possible to recover the files encrypted by this ransomware with decryption tool because the private key which is needed to unlock the encrypted files is only available through the cyber criminals.

It’s recommended to take precautions of securing critical & sensitive data and adhere to your organizations security incident and breach response process.