April 24, 2020

Playbook for Maze Ransomware

By venkat

Summary

The Maze ransomware, previously known in the community as “ChaCha ransomware”, was discovered on May the 29th 2019 by Jerome Segura[1].

Maze intrusion operations will mostly have similar patterns of attack frameworks, tools and techniques across victims. Also will have similar operations as other Ransomware families like Ryuk, DoppelPaymer. The same applies to Affiliates and Actors who could use a whole range of Ransomware flavors and possibly their Playbooks for operating.

The main goal of ransomware is to crypt all files that it can in an infected system and then demand a ransom to recover the files. However, the most important characteristic of Maze is the threat that the malware authors give to the victims that, if they do not pay, they will release the information on the Internet[2].

This threat has not been an idle one as the files of one company were indeed released on the Internet. Even though the company sued, the damage was already done. This is a behavior increasingly observed in new ransomware[3], such as Sodinokibi, Nemty, Clop and others.

Details on general ransomware are available at – Link .

Technical Details of Advesary

Understanding your adversary is half battle won. Details at: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ (look at IoCs)

TTPs – Mitre Att&ck matrix
- Most important – https://attack.mitre.org/software/S0449/
- See above in Mitre Navigator too
- Note that the initial access would be through Phishing or a exploit kit
- https://unit42.paloaltonetworks.com/threat-brief-maze-ransomware-activities/
- Fireeye threat research

Mitigations

The containment strategy (Remediation / Stop the spread) is based on the below tactics used by the adversary[5 ]

STOP: Lateral dispersion amongst systems using standard Windows Operating System protocols
- Endpoint Segmentation – Hardening – Windows Firewall
- RDP Hardening – Enforce Multi-Factor Authentication – Leverage Network Level Authentication – Restrict Administrative Accounts from Leveraging RDP on Internet-Facing Systems
STOP: Lateral dispersion amongst systems via binding to administrative shares for tool or malware deployment (eg. • ADMIN$• C$• D$• IPC$)
- Disable Administrative / Hidden Shares – Registry Method – Group Policy Method
STOP: Lateral dispersion amongst systems via vulnerability exploitation or legacy protocol abuse
- Disable SMB v1 – PowerShell Method – Registry Method – Group Policy Method
STOP: Lateral dispersion between systems via Windows Remote Management (WinRM) and PowerShell remoting
- Hardening Windows Remote Management (WinRM) – PowerShell – Group Policy Method
STOP: Lateral movement and propagation using the built-in local administrator account on endpoints
- Remote Usage of Local Accounts – SIDs within Group Policy settings
STOP: Lateral movement and propagation using domain-based accounts
- Reduce the Exposure of Privileged and Service Accounts – Privileged Account Logon Restrictions – Service Account Logon Restrictions – Protected Users Security Group
STOP: Obtaining cleartext credentials in memory for credential harvesting
- Cleartext Password Protections – Registry Method – Group Policy Method

Analysis

Identification & Scoping of the incident is key. Look at the IoCs[5] and ensure you know the ransomware-type and the variant. Please note there are new variants released every second.

Key Link from Fireye[5].

Identify which of the below 2 common techniques is used by the Ransomware to deploy across your environment

Manual propagation by a threat actor after they have penetrated an environment and have administrator-level privileges broadly across the environment:
- Manually run encryptors on targeted systems.
- Deploy encryptors across the environment using Windows batch files (mount C$ shares, copy the encryptor, and execute it with the Microsoft PsExec tool).
- Deploy encryptors with Microsoft Group Policy Objects (GPOs).
- Deploy encryptors with existing software deployment tools utilized by the victim organization.
Automated propagation
- Credential or Windows token extraction from disk or memory.
- Trust relationships between systems — and leveraging methods such as Windows Management Instrumentation (WMI), SMB, or PsExec to bind to systems and execute payloads.
- Unpatched exploitation methods (e.g., EternalBlue — addressed via Microsoft Security Bulletin MS17-010).

Playbook for a generic Ransomware attack

FlexibleIR provides you different flavors of best practice playbooks for the same threat. This will help to get multiple perspectives to handle today’s complex targeted attacks. You can build state-of-the-art playbooks combining these playbooks and your operational knowledge.

ransomware-attack-runbook — Playbook 2 – CLICK FOR LIVE EXPERIENCE

Our sincere thanks to Joshua C Geno for the above playbook. Please mail us in case you need an original version of the pdf file at contact@flexibleir.com

Tips

Know whom to call. Please first ensure you are able to quickly mobilize all the help required and the right contacts have been reached out to. You may need to start on several parallel investigation trails. General actions to Recover If Impacted– Don’t Let a Bad Day Get Worse.

Ask for help! Contact CISA, the FBI, or the Secret Service (If in US) . Respective CERTs for every country.
Work with an experienced advisor to help recover from a cyber attack
Isolate the infected systems and phase your return to operations
Review the connections of any business relationships (customers, partners, vendors) that touch your network
Apply business impact assessment findings to prioritize recovery
Fact – how the attackers got access – will likely take time to determine. So have parallel tracks running for immediate containment and investigative/forensic works.

Variants

Ensure you are not looking at older mitigations or IoCs.

References

References
IoCs
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2020-1674
https://cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-001/

https://www.us-cert.gov/ncas/alerts/TA16-091A
https://www.us-cert.gov/Ransomware
https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf

Low
https://www.infrascale.com/wp-content/uploads/pdf/Infrascale-Steps-to-Mitigate-Ransomware.pdf
https://logrhythm.com/blog/5-steps-to-defend-against-ransomware/

Advanced
https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/

Incidents

Some of the more recent attacks include LG Electronics, chip maker MaxLinear, IT giant Cognizant, and business services company Conduent.

Decryptor

Ensure to have a clear test setup. Consider trying out a decryptor to regain access to files. The decryptor may or may not work to unlock.

Innovations

Thinking out of the box is key when everything is down. Here is an example of creative thinking down at HYDRO during their incident remediation phase.

Automation

Consider possible automation candidate scripts to reduce impact time.

User Contributed Notes

Revisions

March 13, 2020: Initial Version

Tagsidentity theft ransomware

About The Author

venkat

Venkat is founder of FlexibleIR. He brings 20 years of experience in building tools and products at Sun Microsystems, Intel, Novell, HP, Yahoo,Tesco and startups. He has developed test suites and frameworks for post silicon validation of the Xeon processor family (Fuzzing). He has worked deeply on UFS files system at SUN Microsystem. Was a security paranoid at Yahoo.

One thought on “Playbook for Maze Ransomware”

venkat says:

April 18, 2021 at 5:40 am

test

Log in to Reply