Maze Ransomware hackers, previously known in the hacker community as “ChaCha Ransomware,” was discovered on 29 May 2020 by Jerome Segura, a malware intelligence officer. The main goal of ransomware is to encrypt all files in an infected system and subsequently demand a ransom to recover the files. The threat actor who took credit for compromising an insurance giant , seems to continue its attacking spree with full intensity. It is currently targeting the aerospace sector, specifically maintenance service provider VT San Antonio Aerospace, which has several contracts with US government and various airlines.
The Maze Ransomware threat actors have targeted the systems of VT San Antonio Aerospace in March 2020 by using an Admin account which had been compromised by use of a keylogger. The group claims to now be in possession of 1.5TB of unencrypted files and sensitive data, some of which has already been posted on their leak site. The purpose of the website was to share victims' names and stolen data. The longer it takes businesses to pay Maze ransom, the more information the group publishes.
The Maze group is apparently working on a dedicated mission of targeting enterprises across the globe. Recently, within the first week of June 2020, it has been reported that threat actors associated with Maze group have targeted Westech International, a global aerospace and marine engineering company, business services giant Conduent, and Kerr Controls who manufacture automation systems for commercial business.
The ransomware is mainly spread through exploit kits such as Fallout and Spelevo; desktop connections with weak passwords; phishing emails impersonating government agencies. For instance, in last October cyberattack on Italian organizations, emails were sent with a Word attachment that used macros to run the malware in the system. This malware is coded specifically to prevent reverse engineering, which makes static analysis by security researchers more difficult. Reverse engineering is a common practice used in cybersecurity to understand how a given program, like the malware in this case, works.
Security experts have not yet been able to trace the country of origin of the Maze ransomware. During their examination, McAfee Labs found some of the IP addresses belonged to the Russian Federation. However, the analysis is not enough to confirm Russia, but IP spoofing is a common practice used by attackers to deliberately misdirect investigations and even cause disharmony among nations. In the past, Maze has been in the news for attacks against dozens of large business conglomerates, government contractors, and IT service companies.
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice and especially important. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray® notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. These indicators of compromise (IOC) can be used to blacklist malicious malware.
RedXray® provides daily cyber threat notifications to enrolled customers, identifying threats; rather than those cyber threats facing all customers - everywhere in the world. RedXray® informs customers of threats before they become a breach. This important notification augments a cyber security service that ‘only’ monitor threats within an organization’s network or servers. RedXray® performs its data collection without a network connection to the customer and can be used to collect malicious data anywhere in the world.
RedXray® customers will now automatically receive Ransomware Protection, of up to $100K USD, at no additional charge. https://www.wapacklabs.com/redxray
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Comments