SophosLabs has just published an informative report entitled Maze ransomware: blackmailing victims for a year or more.
Although this buyback software has been around for more than twelve months, it was originally known simply as ChaCha, after an encryption algorithm was used.
Since May 2019, however, the criminals behind this project have adopted the name Labyrinth and even invented their own logo:
Just as the maze virus welcomes victims on its website.
Criminals will talk to you even after you have returned your files – not with their own voice, of course – and will call you under your username to make sure you know they are expecting payment:
Listen to an audio message played after a maze attack.
Unfortunately, Maze has been the talk of the town in recent months, especially since the gang that created him has been at the forefront of a new wave of double ransom attacks.
Scammers come to you with not one, but two reasons to pay extortion money:
- Pay to get the decryption key to recover your precious files that we encrypted with malware.
- Please pay us not to divulge your precious files that we took with us for the encryption.
When ransom programs first appeared in 1989, Internet access at home was virtually unknown, so an attacker who created the infamous AIDS information horse Trojan was dependent on the shipping discs.
They were sent in real envelopes with real stamps to tens of thousands of physical addresses all over the world.
Encryption is thus a quick way to avoid having to make copies of the victims’ files first in order to save them for ransom – the files are essentially stolen on the spot, which means that no active network connection is needed to commit a crime.
In the 2010’s, the first wave of the modern family of blocking file redemption programs such as CryptoLocker, Locky and Teslacrypt opted for a similar approach.
Although malware is now spread across the Internet, usually through massive spam campaigns, attackers are left behind to destroy files before they ask for payment.
Their goal was to trap several thousand victims at the same time, each of them having to be hung in return for payment, usually in the order of $300.
Downloading hundreds or thousands of megabytes from tens of thousands of computers would be a logistical nightmare for crooks, especially given that the download speed of a typical home Internet connection at the time was no more than 1 Mbps.
In fact, the scammers didn’t need to download anything, not even a randomly generated encryption key they used on every computer they attacked.
All they had to do was show the victim’s secret decryption key after it had been encrypted with a public encryption key that was only provided by fraudsters with the corresponding private key.
Cryptography with public keys uses different keys to lock and unlock data, and you cannot work in the reverse direction of the public key to get the private key back. This allowed the crooks to integrate the public key directly into their ransom program, as long as they kept the private key with them.
As SophosLabs explains in a new report, the Doolhofteam was one of the first extortion gangs to use a combination of extortion and protection, where the victims not only had to pay a ransom for the kidnapping, but also for what was actually secret money.
In fact, the gang has created two different parts of its website: one part where the victims will pay, and a second part where the gang itself issues public press releases to name and embarrass those victims who refuse to cooperate.
There’s a warning on the Silent Money page:
If you’ve been locked up and tried to ignore it, you need to know this:
– All information related to security breaches will be shared with the public
– Information with commercial value will be sold on the black market
– All information related to security breaches will be shared with the media
– All stock exchanges on which you are listed will be informed that you have been hacked and blocked and that you have lost your confidential information
– We will use the information received to attack your customers and partners We will also inform them of the source of the information.
Given that modern ransom attacks usually target only one organization at a time, and that Maze’s team is looking for the ransom and finds hundreds of millions of dollars worth of Bitcoins, you can understand why these thugs are willing to spend any amount of time stealing the victims’ data.
What should I do?
Because ransom scammers no longer only keep you out, but also threaten to put you in contact with the rest of the world, prevention is much better than treatment.
Our best advice:
- An early bandage, often a bandage. The bad guys who stage all your network attacks can afford to investigate all the existing holes they know. Make them more difficult by correcting known mistakes as quickly as possible.
- Make sure you don’t have any unexpected opportunities to access your network. There is nothing wrong with using technologies such as RDP and SSH for remote management – just make sure your only remote access portals are where you expect them to be and that they are configured as you would expect them to be in a Virtual Private Network (VPN), for example.
- Keep an eye on your magazines. Ransom attacks, in which a lot of data is stolen and fraudsters carefully study their way through the network, very often leave signals behind that someone is where they shouldn’t be.
- Create an email address for employees. Fraudsters often use phishing emails to find passwords or data they don’t need to find. Fraudsters very rarely send emails to one person in the organization, so one alerting officer can alert 50 colleagues who might otherwise be at risk.
- Use the protection against viruses. Sophos Intercept X and XG firewalls are designed to work hand in hand against extortion and its consequences. People can protect themselves with the House of Sophos.
Last Podcast Bare Security