April 24, 2020

Playbook for Maze Ransomware

By venkat


The Maze ransomware, previously known in the community as “ChaCha ransomware”, was discovered on May the 29th 2019 by Jerome Segura[1].

Maze intrusion operations will mostly have similar patterns of attack frameworks, tools and techniques across victims. Also will have similar operations as other Ransomware families like Ryuk, DoppelPaymer. The same applies to Affiliates and Actors who could use a whole range of Ransomware flavors and possibly their Playbooks for operating.

The main goal of ransomware is to crypt all files that it can in an infected system and then demand a ransom to recover the files. However, the most important characteristic of Maze is the threat that the malware authors give to the victims that, if they do not pay, they will release the information on the Internet[2].

This threat has not been an idle one as the files of one company were indeed released on the Internet. Even though the company sued, the damage was already done. This is a behavior increasingly observed in new ransomware[3], such as Sodinokibi, Nemty, Clop and others.

Details on general ransomware are available at – Link .

Technical Details of Advesary

Understanding your adversary is half battle won. Details at: (look at IoCs)


The containment strategy (Remediation / Stop the spread) is based on the below tactics used by the adversary[5]

  • STOP: Lateral dispersion amongst systems using standard Windows Operating System protocols
    • Endpoint Segmentation – Hardening – Windows Firewall
    • RDP Hardening – Enforce Multi-Factor Authentication – Leverage Network Level Authentication – Restrict Administrative Accounts from Leveraging RDP on Internet-Facing Systems
  • STOP: Lateral dispersion amongst systems via binding to administrative shares for tool or malware deployment (eg. • ADMIN$• C$• D$• IPC$)
    • Disable Administrative / Hidden Shares – Registry Method – Group Policy Method
  • STOP: Lateral dispersion amongst systems via vulnerability exploitation or legacy protocol abuse
    • Disable SMB v1 – PowerShell Method – Registry Method – Group Policy Method
  • STOP: Lateral dispersion between systems via Windows Remote Management (WinRM) and PowerShell remoting
    • Hardening Windows Remote Management (WinRM) – PowerShell – Group Policy Method
  • STOP: Lateral movement and propagation using the built-in local administrator account on endpoints
    • Remote Usage of Local Accounts – SIDs within Group Policy settings
  • STOP: Lateral movement and propagation using domain-based accounts
    • Reduce the Exposure of Privileged and Service Accounts – Privileged Account Logon Restrictions – Service Account Logon Restrictions – Protected Users Security Group
  • STOP: Obtaining cleartext credentials in memory for credential harvesting
    • Cleartext Password Protections – Registry Method – Group Policy Method


Identification & Scoping of the incident is key. Look at the IoCs[5] and ensure you know the ransomware-type and the variant. Please note there are new variants released every second.

Key Link from Fireye[5].

Identify which of the below 2 common techniques is used by the Ransomware to deploy across your environment

  • Manual propagation by a threat actor after they have penetrated an environment and have administrator-level privileges broadly across the environment:
    • Manually run encryptors on targeted systems.
    • Deploy encryptors across the environment using Windows batch files (mount C$ shares, copy the encryptor, and execute it with the Microsoft PsExec tool).
    • Deploy encryptors with Microsoft Group Policy Objects (GPOs).
    • Deploy encryptors with existing software deployment tools utilized by the victim organization.
  • Automated propagation
    • Credential or Windows token extraction from disk or memory.
    • Trust relationships between systems — and leveraging methods such as Windows Management Instrumentation (WMI), SMB, or PsExec to bind to systems and execute payloads.
    • Unpatched exploitation methods (e.g., EternalBlue — addressed via Microsoft Security Bulletin MS17-010).

Playbook for a generic Ransomware attack

FlexibleIR provides you different flavors of best practice playbooks for the same threat. This will help to get multiple perspectives to handle today’s complex targeted attacks. You can build state-of-the-art playbooks combining these playbooks and your operational knowledge.


Our sincere thanks to Joshua C Geno for the above playbook. Please mail us in case you need an original version of the pdf file at


Know whom to call. Please first ensure you are able to quickly mobilize all the help required and the right contacts have been reached out to. You may need to start on several parallel investigation trails. General actions to Recover If Impacted– Don’t Let a Bad Day Get Worse.

  • Ask for help! Contact CISA, the FBI, or the Secret Service (If in US) . Respective CERTs for every country.
  • Work with an experienced advisor to help recover from a cyber attack
  • Isolate the infected systems and phase your return to operations
  • Review the connections of any business relationships (customers, partners, vendors) that touch your network
  • Apply business impact assessment findings to prioritize recovery
  • Fact – how the attackers got access – will likely take time to determine. So have parallel tracks running for immediate containment and investigative/forensic works.


Ensure you are not looking at older mitigations or IoCs.







Some of the more recent attacks include LG Electronics, chip maker MaxLinear, IT giant Cognizant, and business services company Conduent.


Ensure to have a clear test setup. Consider trying out a decryptor to regain access to files. The decryptor may or may not work to unlock.


Thinking out of the box is key when everything is down. Here is an example of creative thinking down at HYDRO during their incident remediation phase.


Consider possible automation candidate scripts to reduce impact time.

User Contributed Notes


March 13, 2020: Initial Version