Maze ransomware has continued to evolve as a group, but this time they appear to be going the route of retirement. First developed as a variant of ChaCha ransomware in May of 2019, the ransomware group has been extremely active. They have targeted various industries including finance, technology, telecommunications, healthcare, government, construction, hospitality, media and communications, utilities and energy, pharma and life sciences, education, insurance, wholesale, and legal. Clearly, Maze has no regard for their actions. They attack profitable corporations in hopes of them paying out the ransom.

Their double extortion technique excluded them from other groups and was the main reason they grew in popularity so quickly. Maze is known to attack a network, steal data for posting, encrypt files, and then demand a ransom. Their back up plan is to publish the stolen data on a Dark Web page if their extortion attempts fails. Maze usually facilitates malspam campaigns with malicious Word or Excel files or brute forces their way in via remote desktop protocol (RDP). No matter how they gain access to the network, Maze tries to get elevated privileges, move laterally, and deploy file encryption.

This type of behavior for Maze appears to be coming to a close. On November 1, Maze released their retirement plans. They included in their statement that there isn’t an official successor, although, many can beg to differ. Some argue that Maze supporters will look to Egregor ransomware. Egregor is a new ransomware family. They, too, follow double extortion. Egregor has been attacking well-known corporations left and right. We’ve mentioned this before. As of September 18, Egregor hasn’t stopped. Our insights detail the connection to Maze.

Egregor is also associated with Ransomware-as-a-Service (RaaS). Their supporters can subscribe to malware. Egregor is unique because of the level of anti-analysis techniques baked into the code. In order for security researchers to analyze the payload, they’ll need the unique decryption key to unlock it.  This makes it difficult to analyze the payload through a sandbox or other manual analysis techniques. The many layers of code obfuscation and encrypted payload can place a high burden on basic security tools and makes it more likely that Egregor’s execution will go undetected by said tools.

SpearTip’s ShadowSpear® Memory Injection Prevention module stops maze and egregor before they get a chance in to ransom your environment. Network defenders should apply these strategies and tools to avoid falling victim to Maze or Egregor, though it usually begins with non-technical end-users. Implementing user awareness training and phishing practices has been proven to correct and improve an organization’s security posture tremendously. The weakest link is almost always the human element. Utilizing a trusted Endpoint Detection and Response (EDR) tool will put your organization on a higher level to protect your organization’s network. Having a Security Information and Event Management (SIEM) tool to collect logs from critical systems and a strong vulnerability management policy will improve an organization’s defensive posture.

Our cybersecurity professionals are always on alert for malware and manipulative programs by building cases on the threat groups and actors that are encountered on a daily basis. Our 24/7 Security Operations Center (SOC) is complete with certified security engineers to monitor and protect your environment. Not only are they continuously preventing cyberattacks, but they can also deploy our proprietary tool, ShadowSpear® in your environment before or after an attack.