Decryption tool for the Maze ransomware


Ransomware is a type of malicious software cyber actors use to deny access to systems or data. The malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted. Ransomware can be delivered in various ways, most commonly via spam/phishing emails containing a malicious document. Other forms of infection include exploit kits, trojans and the use of exploits to gain unauthorized access to an infected device.

Brands affected with Maze Ransomware

What is Maze Ransomware?

Maze is a file encrypting virus and also a successor to ChaCha. It uses a sophisticated RSA and ChaCha20 cipher to lock up data, and appends a string of random 4-7 characters at the end of each file, also using a marker within its structure –0x66116166. Maze ransomware is often delivered via emails or exploit kits such as Fallout and Spelevo.

Proofpoint researchers recently detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, and also targeting organizations in the United States using the IcedID banking Trojan.

When the Maze Ransomware payload is installed and executed, it will start scanning for interesting files (e.g., documents, photos, databases, and more) to encrypt them using RSA encryption and the ChaCha20 stream cipher, and append several extensions. The ransomware will also create a ransom note named DECRYPT-FILES.txt in each of the scanned folders, instructing the victims to open a website hosted on the TOR network for payment instructions to purchase a private key to decrypt the files.Victims are also provided with an online decryption interface which allows them to decrypt three of their now locked files as proof that decryption is indeed possible.

Indicator of Compromise (IOC)

The indicator of compromise (IOC) for Maze Ransomware sourced from various public & security forums are

Hashes:
  • 4e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e
  • 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
  • 1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78
  • 153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57
  • 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9
  • 30b72e83d66cbe9e724c8e2b21179aecd4bcf68b2ec7895616807df380afab54
  • 33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502
  • 4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d
  • 5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
  • 58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806
  • 5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353
  • 6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13
  • 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af 
  • 822a264191230f753546407a823c6993e1a83a83a75fa36071a874318893afb8
  • 83f8ce81f71d6f0b1ddc6b4f3add7a5deef8367a29f59b564c9539d6653d1279
  • 877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1
  • 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1
  • 9751ae55b105ad8ffe6fc5dc7aea60ad723b6df67a959aa2ea6f4fa640d20a71
  • 9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1
  • 9be70b7fe15cd64aed5b1adc88c2d5270bce534d167c4a42d143ae0059c3da1c
  • b30bb0f35a904f67d3ac0082c59770836cc415dc5b7225be04e8d7c79bde73be 
  • c040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc 
  • c11b964916457579a268a36e825857866680baf1830cd6e2d26d4e1e24dec91b 
  • ea19736c8e89e871974aabdc0d52ad0f0948159d4cf41d2889f49448cbe5e705 
  • ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2 
  • F491fb72f106e879021b0bb1149c4678fb380c255d2ef11ac4e0897378793f49 
  • fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f
Payload
  • hxxp://104.168.198.208/wordupd.tmp
  • hxxp://104.168.215.54/wordupd.tmp
  • hxxp://104.168.174.32/wordupd_3.0.1.tmp
IP Address
  • 91.218.114[.]4
  • 5.199.167[.]188
  • 185.147.15[.]22
  • 91.218.114[.]11
  • 91.218.114[.]25
  • 91.218.114[.]26
  • 91.218.114[.]31
  • 91.218.114[.]32
  • 91.218.114[.]37
  • 91.218.114[.]38
  • 91.218.114[.]77
  • 91.218.114[.]79

Protection from Maze Ransomware

Backup, Backup, BACKUP! This absolutely the most important business process for any organizations that needs to done to protect their data from being encrypted. The reality is that if business have up-to-date backups, ransomware becomes more of a nuisance than a threat. This is because enterprise can simply remove the infection and then restore the data from backups.  

Install and configure security policies and enable the indicator of compromises for the antivirus and malware defense solutions to detect any ransomware behaviors

Maintain the patches up-to-date and leave no vulnerabilities on the critical business assets. Not just the operating systems, exploit kits also target vulnerabilities in commonly used applications such as Java, Adobe Flash player, and others. Ensure the vulnerability and patch management process are adhered regularly.

Most often the ransomware distribution happens via spam and spear phishing email techniques. Make sure the users and system administrators’s mailbox are protected with anti-spam controls and advanced email security protection solutions.

Enable multi-factor authentication mechanisms to access critical data and information systems and adopt ‘zero trust‘ security model to safeguard the assets across ‘defense in depth layers’

Unfortunately, it’s not possible to recover the files encrypted by this ransomware with decryption tool because the private key which is needed to unlock the encrypted files is only available through the cyber criminals.

It’s recommended to take precautions of securing critical & sensitive data and adhere to your organizations security incident and breach response process.

Also read

  1. How to achieve 72 hours for breach notification
  2. Lessons learned from cyber breaches
  3. History: Telecom industry cyber security breaches
  4. Recommendations to adopt Zero Trust principles
  5. Unpatched vulnerabilities; Is it problem worth solving?

One thought on “Decryption tool for the Maze ransomware

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: