Mandiant dishes on notorious Maze ransomware group

Who is behind Maze?

In an accompanying blog post earlier this month, Mandiant said it "identified multiple Russian-speaking actors who claimed to use Maze ransomware and were seeking partners to fulfill different functional roles within their teams. 

During the webinar, Goody and Kennelly shed additional light on Maze threat actors, saying there are three distinct groups under the name. Mandiant researchers are currently tracking three separate clusters of threat activity involved in the post-compromise distribution of Maze ransomware.

The most unique of the three groups is the financially motivated FIN6 group, which has been active since mid-2014, according to Mandiant.

"Unlike other groups that sit alone in clusters connected to only other Maze intrusion operations, FIN6 has a long history of financially motivated intrusions. They had a longtime focus on targeting point of sale (POS) devices, primarily using Trinity or FrameworkPOS [malware]," Kennelly said.

Since 2017, FIN6 techniques have evolved into payment card data targeting, particularly targeting web-based e-commerce platforms to steal credit card numbers or names. Though their tactics shifted, Mandiant observed FIN6 reusing penetration testing tools like Cobalt Strike and Metasploit.

Maze tools and techniques

Through late 2019, before shifting to post-compromise methodology, Maze ransomware was distributed directly via exploit kits and spam campaigns. Now, Mandiant said, common tools include Mimikatz, which is used to extract credentials or tokens and batch scripts to kill processes prior to the execution of ransomware. However, threat researchers have observed a broad range of approaches to network, host, data and active directory reconnaissance across observed Maze incidents.

For example, Kennelly said in the webinar, one thing to note about the second Maze group is its intrusion vector. "In this case, we've seen them access networks via [Trojan] IcedID." In addition, Mandiant observed that specific Maze group only took a small number of days from when it obtained initial access to the environment to when it began active intrusion operations.

Intrusions vary in the way that attackers have obtained initial access, including botnet operators seeking penetration testers to exploit obtained access and penetration testers or other intermediary seeking access to exploit.

"But there are a few clear patterns in the manner in which the initial access is obtained. Banking trojans leading to compromise, initial access coming via compromised web applications and multiple cases where the attacker obtained initial access using legitimate credentials by logging into the corporate VPN infrastructure and/or the corporate system with an internet-facing admin interface. In some cases, it's plausible the accounts have weak passwords and attackers use brute force or credentials have been collected using spear-phishing or via precursor malware operations," Kennelly said in the webinar.

Common tools in earlier stages of intrusion also include open source penetration testing tool Bloodhound and PowerSploit/PowerView. Squidgate and Beacon are commonly used to move laterally throughout the environment.

Data exfiltration and extortion

According to Kennelly, one clear pattern observed across nearly all intrusions was as soon as the data was exfiltrated, the ransomware was deployed. Though exfiltration methods vary, Maze operators have been known to collect data to exfiltrate and upload to an attacker-controlled FTP server. It is common for some actors to use WinSCP and PowerShell scripts in exfiltration, as well as cloud-based file hosting using direct upload or synchronization utility.

Even in different phases of the operations, between initial access and the time active intrusion begins, dwell time can vary dramatically from one day to one year, Kennelly said in the webinar. However, data theft and extortion may increase attacker dwell time.

Mandiant is aware of more than 100 alleged Maze victims reported by various media outlets and on the Maze website since November 2019. Maze operators have become known for data shaming victims, on top of encryption.

"They collect one fee for the agreement not to release files and a separate fee for the encryptor. In December of 2019, operators registered a domain in which would become the centralized location where victims and alleged data stolen from victims would be shared," Goody said in the webinar.

Through that website, Maze operators share domains, dates they encrypted files, volumes, examples of files and a list of impacted systems. Posting information of allegedly compromised organizations increases the pressure for victims to pay.

In order to defend against these attacks, Kennelly said it's not the ransomware that's the issue. "Ransomware is a tool. It's the intrusion operations that proceed it that need to be addressed individually," he said in the webinar.