May 18, 2021

What is Maze Ransomware and How Does it Work?

By Rotem Shemesh

Maze Ransomware has been in the headlines non-stop ever since it was first reported in May 2019. It has been used to attack individual companies, governments, and increasingly – and perhaps most worryingly – MSPs. This is especially concerning as once an MSP is compromised, this then affects all of their clients, their clients’ business partners, and so on in an almost endless trail of destruction. Although Maze was shut down in November 2020 there are countless ransomware strains that pose threats to businesses across the world. 

So what is Maze ransomware, why is it so infamous, and what makes it different?

What is Maze ransomware?

To start understanding Maze Ransomware, it’s important to define what exactly it is. The Maze ransomware itself is a 32 bits binary file, usually in the guise of a .exe or .dll file.

Once Maze is deployed on an end user’s machine (we’ll discuss the “how” later on), it does the following:

  • It encrypts user files and sends a ransomware payment demand
  • It copies user data to be sold later, most likely on the Dark Web – escalating an infection from “ransomware” to “data breach”
  • It creates backdoors to enable the malicious actors behind the ransomware to have continued access to the system
  • It attempts to spread within the network and beyond

The Maze code is sophisticated and includes many obfuscation techniques designed to evade common security techniques and security teams.

Organizations believed to have been hit by Maze ransomware include the likes of Canon, tech and consulting giant Cognizant, and Conduent which provides HR and payment infrastructure to “a majority of Fortune 100 companies and over 500 governments” the impact of Maze ransomware was so massive that the FBI issued its specific warning.

Discover how Datto can help protect your business against ransomware attacks >

How Maze ransomware works

Initial deployment

In most cases, Maze is deployed onto the victim’s machine using a phishing email – increasingly common is a spear-phishing email – containing a malicious attachment, such as a macro-enabled Microsoft Word document or password-protected zip file. From examples seen in the wild, this document is often named something innocuous yet tempting, such as “Quarterly Report” or “Confidential Data Set.”

Once it has been successfully deployed – that is, a user has opened the compromised document in the previous phishing example – it begins propagating within the user’s system. Simultaneously, it starts spreading laterally within the network, seeking ever-higher access privileges in order to do more damage. During this period, files start being encrypted, often affecting both the user’s local machine as well as cloud storage.

It is at this point that the ransomware payment demand usually appears, spelling out the attacker’s requirements and method of payment – usually with crypto-currency.

Evasion techniques

How does Maze ransomware evade common security measures?

First off, it starts with a zip attachment that is encrypted with a password and/or a document that includes a macro. This makes it very difficult for email security solutions to detect Maze ransomware, because:

  • They cannot automatically open the file protected with a password
  • They do not normally scan zip files
  • Scanning macros are a challenge for these solutions

Scanning for vulnerabilities

Next, the Maze ransomware scans the network for vulnerabilities. It looks for any weaknesses in network configuration, and across multiple Active Directory attributes. This way it gains critical insights and intelligence on the network itself and can embark on the next phase of its sinister mission.

Lateral movement

The Maze ransomware now begins moving laterally within the network. It does this initially by investigating the infected machine for clues regarding moving to the next machine and through the network, constantly scanning for passwords that are not well-protected. Should this prove unsuccessful, it moves on to other means such as brute-forcing access to new user accounts.

Getting elevated privileges

Just moving laterally is not enough for attackers. They want to constantly be improving their level of access privileges to access more information and gain more control over the system. As increasingly elevated privileges are accessed, so the spread becomes easier and quicker.

How to protect against Maze ransomware

There are 4 primary ways of protecting against Maze Ransomware. These are:

  • Detecting Maze pre-delivery
  • Protecting each endpoint
  • Preventing the lateral movement of the ransomware
  • Backing up your data

Detecting Maze pre-delivery

With the vast majority of Maze ransomware attacks starting with a phishing email, the logical and most effective place to start is with a cloud email protection solution. This stops the problem upstream, preventing much damage down the line.

Protecting each endpoint

Next, it’s important to protect individual endpoints from infection. A remote monitoring and management (RMM) tool is critical here to ensure that no individual machines have been compromised and that any attempt to infect individual machines is picked up and dealt with as early as possible.

Preventing the lateral movement of the ransomware

As we’ve seen, Maze ransomware will attempt to move laterally within the organization. Again, at this stage, an RMM tool is your best chance of keeping your network secure and isolating the infected machine, without necessitating a complete shutdown of the entire network.

Backing up your data

Properly backed-up data is key to ensuring business continuity in the case of an attack – and something that helps you sleep well at night. Specifically for MSPs, this element is critical in ensuring your clients have a backup solution, quite literally. When it comes to data backup, there are numerous backup solutions available including:

  • A full Business Continuity and Disaster Recovery (BCDR) suite: for example, Datto Unified Continuity which covers all business continuity and disaster recovery needs including protecting servers, files, PCs, and SaaS applications
  • Datto SIRIS, a reliable, all-in-one business continuity and disaster recovery solution built for MSPs to prevent data loss and minimize client downtime
  • Datto ALTO, a small but powerful business continuity and disaster recovery solution built for MSPs to minimize downtime and efficiently prevent data loss for their small business clients
  • Datto Cloud Continuity for PCs which protects MSP clients’ Windows-based computers from downtime and data loss and rapidly recovers data in case of disaster
  • SaaS Protection, which offers reliable and secure cloud-to-cloud backup for Microsoft 365 and Google Workspace to ensure critical cloud data is protected


Maze ransomware isn’t going anywhere

Unfortunately, Maze ransomware is here to stay. Moreover, we’re already seeing new variants popping up that are sure to do further damage in the future. Having said that, the response to Maze ransomware as outlined here is a robust way to protect users, clients, and your organization against Maze and other ransomware attacks.

For more information, and to see what this can look like for your business, request a demo here.

Suggested Next Reads

Elevate Autotask Tickets With IT Glue Checklists

Streamline IT support with Autotask checklists. Empower Level 1 technicians to handle repetitive tickets efficiently, reducing escalations and improving service quality.