Maze ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, Maze operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell|
|Enterprise||T1486||Data Encrypted for Impact||
Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.
|Enterprise||T1564||.006||Hide Artifacts: Run Virtual Instance||
Maze operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine's configuration file mapped the shared network drives of the target company, presumably so Maze can encrypt files on the shared drives as well as the local machine.
|Enterprise||T1562||.001||Impair Defenses: Disable or Modify Tools||
Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg. It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.
|Enterprise||T1070||Indicator Removal on Host|
|Enterprise||T1490||Inhibit System Recovery|
|Enterprise||T1036||.004||Masquerading: Masquerade Task or Service|
|Enterprise||T1027||Obfuscated Files or Information|
|Enterprise||T1055||.001||Process Injection: Dynamic-link Library Injection|
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task|
|Enterprise||T1218||.007||Signed Binary Proxy Execution: Msiexec|
|Enterprise||T1082||System Information Discovery|
|Enterprise||T1049||System Network Connections Discovery|
|Enterprise||T1047||Windows Management Instrumentation|
Groups That Use This Software