Maze Ransomware
Maze Ransomware has been active from since July 2016 and has been dramatically changing its TTPs to prevent detection and improve its infection rate. Compared to other ransomwares that only encrypts data, this ransomware exfiltrates data before encrypting it. Maze Ransomware recently published data of six victim organizations on internet who refused to pay their demand for ransom.
Here are some of the indicators of compromise, which should be blocked from access from your organisation
Domains
- mazedecrypt[.]top
- aoacugmutagkwctu[.]onion
- thesawmeinrew[.]net
- drivers[.]updatecenter[.]icu
- updates[.]updatecenter[.]icu
Filenames
- 8e6ce49[.]exe
- 3686576[.]exe
- 17269b5[.]exe
- mrtscp64[.]exe
- jarvey[.]exe
- KarriBillabong[.]dll
- 5f83030[.]exe
- 4ffcc27[.]exe
- ac2c822[.]exe
- kinput[.]dll
- version[.]dll
- kepstl32[.]dll
- memes[.]tmp
- maze[.]dll
- lckwmi[.]bat
Workarounds
• Block the IOCs mentioned here. • Avoid handling files from non-trusted sources • Update your anti-virus solutions with latest virus definitions. • Keep applications and operating systems running at the current released patch level.