Maze ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, Maze operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.[1][2][3]

ID: S0449
Platforms: Windows
Contributors: Center for Threat-Informed Defense (CTID); SarathKumar Rajendran, Trimble Inc
Version: 1.2
Created: 18 May 2020
Last Modified: 24 January 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Maze has communicated to hard-coded IP addresses via HTTP.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Maze has created a file named "startup_vrun.bat" in the Startup folder of a virtual machine to establish persistence.[3]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

The Maze encryption process has used batch scripts with various commands.[1][3]

Enterprise T1486 Data Encrypted for Impact

Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.[1]

Enterprise T1568 Dynamic Resolution

Maze has forged POST strings with a random choice from a list of possibilities including "forum", "php", "view", etc. while making connection with the C2, hindering detection efforts.[2]

Enterprise T1564 .006 Hide Artifacts: Run Virtual Instance

Maze operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine's configuration file mapped the shared network drives of the target company, presumably so Maze can encrypt files on the shared drives as well as the local machine.[3]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.[2] It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.[3]

Enterprise T1070 Indicator Removal

Maze has used the "Wow64RevertWow64FsRedirection" function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.[2]

Enterprise T1490 Inhibit System Recovery

Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.[2][3]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Maze operators have created scheduled tasks masquerading as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update" designed to launch the ransomware.[3]

Enterprise T1106 Native API

Maze has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.[2]

Enterprise T1027 Obfuscated Files or Information

Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis.[2]

.001 Binary Padding

Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.[2]

Enterprise T1057 Process Discovery

Maze has gathered all of the running system processes.[2]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Maze has injected the malware DLL into a target process.[2][3]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Maze has created scheduled tasks using name variants such as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update", to launch Maze at a specific time.[3]

Enterprise T1489 Service Stop

Maze has stopped SQL services to ensure it can encrypt any database.[3]

Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

Maze has delivered components for its ransomware attacks using MSI files, some of which have been executed from the command-line using msiexec.[3]

Enterprise T1082 System Information Discovery

Maze has checked the language of the infected system using the "GetUSerDefaultUILanguage" function.[2]

Enterprise T1614 .001 System Location Discovery: System Language Discovery

Maze has checked the language of the machine with function GetUserDefaultUILanguage and terminated execution if the language matches with an entry in the predefined list.[2]

Enterprise T1049 System Network Connections Discovery

Maze has used the "WNetOpenEnumW", "WNetEnumResourceW", "WNetCloseEnum" and "WNetAddConnection2W" functions to enumerate the network resources on the infected machine.[2]

Enterprise T1529 System Shutdown/Reboot

Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.[3]

Enterprise T1047 Windows Management Instrumentation

Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network.[2][3]

Groups That Use This Software

ID Name References
G0037 FIN6


G0046 FIN7