Maze Ransomware Victim’s data revealed

4 min readDec 27, 2019

Recently various successful ransomware attacks are observed, of which Maze Ransomware tops the list. Threat Actors behind Maze Ransomware is attributed as TA2101 by Proofpoint and APT-29 by Talosintelligence.The Maze team is publicly exposing victims by displaying real files exfiltrated from their hacked servers. Threat Actors supposed to have registered the domain mazenews[.]top to release the exfiltrated data.

Recent incidents:
Over the past several months, Talos Incident Response responded to several such incidents, where an adversary gained access to an environment, deployed ransomware, and exfiltrated large amounts of data, combining elements of ransomware and doxxing attacks into a single incident.

In one incident, the attacker leveraged CobaltStrike after obtaining access to the network. CobaltStrike is a widely used framework for offensive and red-teaming, which is also commonly used by adversaries to attack their targets. Once the adversary has access, they spend at least a week laterally moving around the network and gathering systems and data along the way. Combined with CobaltStrike, the actor used a technique commonly associated with APT-29, leveraging a named pipe.

Victims List:

On December 11, the group behind the Maze ransomware established a website where victims who refused to pay the ransom were shamed and leaked victim information stolen by the group was exposed.

<Updated June 27, 2020> Fore Latest Victim list: https://medium.com/series/maze-ransomware-b8fe65700ead

Andrew Agencies Ltd, https://www.andrewagencies.com/ — Insurance, Canada
Southwire, https://southwire.com — Wire Manufacturing, USA
DV-GROUP, https://dv-group.com — Industrial Engineering, France
Сutrale, https://www.cutrale.com — F&B, USA
MASSEY, https://masseyservices.com — Pest control, USA
LFNDIST, https://lnfdist.com — F&B, USA
Nfm Filter, https://www.nfm-filter.com/ — Manufacturing, USA
Greccoauto, https://greccoauto.com — Transport, USA
United Imaging, https://www.united-imaging.com/ — Healthcare, China
MitchCoinIntarnational, http://mitchcointernational.com — F&B, USA
RBC, https://asgsys.com — ITServices, USA
CBW, https://www.bakerwotring.com — Legal, USA
BILTON, https://www.biltongroup.com — Lighting, Austria
Groupe Igrec, https://igrec.fr — Financial Services, France
Vernay, https://vernay.com — Engineering, USA
Randalegal, https://www.randalegal.com/ — Legal Service, Czech
THEONE, https://theone.com — Furniture, UAE
Groupe Europe Handling SAS, https://groupe-europe-handling.fr/ Transport, France
City Of Pensacola, https://www.cityofpensacola.com/ — USA
Bird Construction, https://www.bird.ca — Construction, Canada
Busch’s Inc., https://www.buschs.com/ — F&B, USA
Fratelli Beretta, https://ratelliberetta.com — F&B, ITALY

This trend of achieving maximum monetary gain for their nefarious activities is increasingly common in the crimeware space, as demonstrated by the proliferation of emotet and the millions and millions of dollars in damage that have followed. Expect adversaries to be increasingly aware of the systems and networks they are compromising as all systems and networks are not created equally and some have much higher profit margins, when compromised.

<Updated Apr 20, 2020> IT services giant Cognizant suffered a cyber attack on April 17, 2020 night allegedly by the operators of the Maze Ransomware.

Indicators of Compromise (IoCs):
HASHES:

CobaltStrike

51461b83f3b8afbcae46145be60f7ff11b5609f1a2341283ad49c03121e6cafe
3627eb2e1940e50ab2e7b3ee703bc5f8663233fe71a872b32178cb118fb3e2d9

Maze Ransomware

04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e
067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78
153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57
195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9
30b72e83d66cbe9e724c8e2b21179aecd4bcf68b2ec7895616807df380afab54
33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502
4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d
5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806
5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353
6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af
822a264191230f753546407a823c6993e1a83a83a75fa36071a874318893afb8
83f8ce81f71d6f0b1ddc6b4f3add7a5deef8367a29f59b564c9539d6653d1279
877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1
91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1
9751ae55b105ad8ffe6fc5dc7aea60ad723b6df67a959aa2ea6f4fa640d20a71
9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1
9be70b7fe15cd64aed5b1adc88c2d5270bce534d167c4a42d143ae0059c3da1c
b30bb0f35a904f67d3ac0082c59770836cc415dc5b7225be04e8d7c79bde73be
c040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc
c11b964916457579a268a36e825857866680baf1830cd6e2d26d4e1e24dec91b
ea19736c8e89e871974aabdc0d52ad0f0948159d4cf41d2889f49448cbe5e705
ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2
F491fb72f106e879021b0bb1149c4678fb380c255d2ef11ac4e0897378793f49
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f

<Updated Apr 20, 2020 IoCs>

5badaf28bde6dcf77448b919e2290f95cd8d4e709ef2d699aae21f7bae68a76c
719d18f210c459f53071906675725175a65ed43c11d4008607b9ee13dcfeef2b
2a6c602769ac15bd837f9ff390acc443d023ee62f76e1be8236dd2dd957eef3d
bba288819f375cbdd1a274609924aeba786e1d1b43065846a85e30bc998d9015
24da3ccf131b8236d3c4a8cc29482709531232ef9c9cba38266b908439dea063
0f1cbf09b19fc9963742e3f60def1434fa86ac760790fb974a6b5fcd81b4881f
63ceb2150355c19c2e3e6735d55a19acfbbe1798eafe5e50edb9ce832b69e87a
22ccc6a9a8834e08f190486524fb86b177f332b5835f4bd75f31b4b667271bb0
042273f30363405ee416ca4dae6f0279668dfc5ea742c0e265b9553798a90ae5
dee863ffa251717b8e56a96e2f9f0b41b09897d3c7cb2e8159fcb0ac0783611b
74712dfd5acbfdc494718ad58b125a1116466c2380b4e513824d7a781cc9db22
0b9c99276ed36110afc58b3fb59ada135146180189c25d99618ca5897537ee21
ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2
34d05620f964945a59d1da2c76e45c1d214affd42094b2de31d38739a9241970
7b3d63a5bdc9f4d56779ad2de1558e9123d4b71d3a1d04844bf0c74b91feabb3
a20fdb92c16bf045774f5de2778d9c745663217c0bf202a6585248857e6b2335
877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1
ebbb5ac2be538edff5560ef74b996a3fbc3589b3063074c5037da05acd6374d2
5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
4a7a611c2c20e5110ddf693b86cabe75e74f3cc690fc98ace765ae0b5231379b

IP ADDRESSES:

91.218.114[.]4
5.199.167[.]188
185.147.15[.]22

<Updated Apr 20, 2020>

Yara :

Updated hashes are based on the yara rule shared by @VK_Intel

////////////////////////////////////////////////////////////////// MAZE ////////////////////////////////////////////////////////////////////////

rule crime_win32_ransom_maze_dll_1

{meta: description = “Detects Maze ransomware payload dll unpacked” author = “@VK_Intel”

reference = “https://twitter.com/VK_Intel/status/1251388507219726338" tlp = “white”

date = “2020–04–18”

strings:

$str1 = “Maze Ransomware” wide

$str2 = “ — logging” wide

$str3 = “DECRYPT-FILES.txt” wide

$tick_server_call = { ff ?? ?? 8b ?? ?? ?? ?? ?? ff d6 8b ?? 89 f9 50 ff ?? ?? ff d6 8d ?? ?? ?? 89 ?? ?? ?? 56 e8 ?? ?? ?? ?? 83 c4 04 b9 67 66 66 66 89 c5 f7 e9 89 d0 d1 fa c1 e8 1f 01 c2 8d ?? ?? 29 c5 56 e8 ?? ?? ?? ?? 83 c4 04 b9 56 55 55 55 89 c6 f7 e9 89 f9 89 d0 c1 e8 1f 01 d0 8d ?? ?? 29 c6 8b ?? 55 56 ff ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 89 ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 c5 50 ff d3 89 c6 ff ?? ?? ?? ff d3 8b ?? ?? ?? 01 f0 3d ff 03 00 00 0f ?? ?? ?? ?? ?? 55 ff ?? ?? ?? 68 a2 95 c3 00 53 ff ?? ?? ?? ?? ?? 83 c4 10 c6 ?? ?? ?? c6 ?? ?? ?? ??}

condition:

( uint16(0) == 0x5a4d and ( 3 of them ) ) or ( all of them )

}

References:

Contact: https://www.linkedin.com/in/dinesh135kumar/

Maze Ransomware Victim’s data revealed

Written by Dinesh