The Maze ransomware, previously known in the community as “ChaCha ransomware,” was discovered on May 29, 2019 by Jerome Segura. Although over a year old at this point, it is still seen in the wild as the recent attack on Canon shows. Like other ransomware, Maze spreads across a corporate network, infecting computers it finds and encrypts data so it cannot be accessed.
In addition to encrypting data, Maze also steals the data it finds and exfiltrates it to servers controlled by the attacker who then threaten to release it if a ransom is not paid. Increasingly, other ransomware (such as REvil, also known as Sodinokibi) have been observed using similar tactics.
Maze and similar ransomware attacks leverage encrypted command and control (C2), deception, and the use of native Windows functions to avoid detection by signature-based security controls. Vectra models detect these threats consistently when seen in the wild because we focus on behaviors, not signatures. Attacker infrastructure, tools change, but behaviors are more stable. This allows Vectra to not just catch the current flavor of ransomware, but newer ones that may be created in the future. Security operations center (SOC) analysts can leverage the behavioral detections to get ahead of an attacker before the adversary achieves a malicious objective such as exfiltration or encryption of data. In this blog, I’d like to analyze a typical attack progression from Maze, and how it would appear for someone who was leveraging Vectra to secure their network.
Let’s start by looking at a common timeline of a modern ransomware attack:
From a SOC perspective, let’s simplify this and distill it into five observable steps.
Note that those steps may or may not be present, depending of the actor. As the techniques varies, potential detections listed below cannot be considered certain. Note as well that some people can just open a sample of Maze by accident, infect themselves, which would only trigger ransomware detection, as no interaction within a C2 channel will be performed.
For initial compromise, some campaigns start with malicious documents, used to launch a cobalt strike instance in order to gain remote control of the “patient zero”. Several cases reported came from a direct compromising, by the actor, using stolen credentials, exploitation of vulnerable software, or weak password on Internet facing devices. The most observed tool used to take control of the patient zero appears to be CobaltStrike.
Actors sometimes used privilege escalation in order to be able to execute and deploy the ransomware, move laterally, or discover interesting files. This attack step comprises the reconnaissance behavior.
Once the attacker gets a foothold in the target’s environment, several reconnaissance attempts, as well as lateral movement are performed towards other targets.
The screenshot below clearly shows this behavior, IP – 10.50.2.103 being the principal entry point, showing lateral movement and significant reconnaissance behavior.
For lateral movement itself, attackers mostly leverage Cobalt strike from their initial foothold.
In the Suspicious Remote Execution detail, we see the attacker operating psexec to manage services in neighboring hosts.
Finally, several cases show exfiltration attempts, prior to encryption by maze, which are done in various manners, mostly towards ftp or cloud hosting services.
Note here that prior to the detonation of the ransomware itself, the host pc4 suffered external remote access and Smash andGrab exfiltration attempts, which is here part of the exploit chain.
The external remote access is always a strong indicator of an external adversary when combined with reconnaissance detections. In detection detail here you find the type of C2 application, in this case Teamviewer. C2 alerts should always be investigated to rule out threats. Do not rely solely on threat intel but consider the broader scope of activity. Ask yourself:
Maze ransomware is then deployed via channels. This one obviously triggers ransomware file activity, as shown below.
Regarding Ransomware detection itself, the detection view shows the number of files affected, as well as shares names. The ransomware note is also given, as it can help identify certain families of malware by its name:
Using Recall enhanced view, we can see clearly that at the time of the attack, some external sessions were launched:
The combination of prioritization of relevant behavior combined with automated response can help detect the threat early and stop it from propagating into the environment. To get in touch with our experts, our newly announced Vectra services enable our customers to mature their security operations and empower them with access to the people at Vectra who are most knowledgeable. And as always, don’t hesitate to contact us to learn more or schedule a demo.