Ransomware test subject – Maze
Ransomware is often pushed on business networks and PCs using specialized software named exploit kits. These are software packages that run on the victim’s PC after visiting an infected website or opening malicious email attachments. One of these exploit kits is Spelevo, which, lately, is pushing the Maze ransomware, after exploiting weaknesses in Flash player, a component used by browsers to display data.
Maze is a variant of Chacha ransomware and was initially found by malware researchers in May. Back then, it was distributed by yet another exploit kit, named Fallout.
Maze ransomware – test findings
When Maze is executed, it will first scan the PC for valuable user files, delete shadow volume copies, collect some PC and user info, then contact several command and control servers. After all these, encryption begins. It is using an encryption method called ChaCha20, a variant of the Salsa20 method. The encrypted files are renamed differently, meaning an apparently random extension is added to each of them. Then, it drops ransom notes on the desktop and attacked folders. It even replaces the desktop wallpaper with a customized message. The message and ransom amount will differ if the attacked PC is part of a corporate network, if it’s a server or workstation, and so on.
The ransom note also contains a link to a support page, which we visited during our test. It includes several features and allows the user to test the recovery process by submitting the ransom note for identification and three files for decryption. It also contains a chat function, which was indeed monitored by the cybercriminals at the time of our test, and we had a little chat with them (more about this in the video).
Unfortunately, there’s no known way to decrypt the files encrypted by Maze freely. But there are ways to protect yourself from any ransomware attack efficiently, one of them being Ranstop.
Maze ransomware vs Ranstop – test results
TEMASOFT Ranstop detects this version of Maze ransomware soon after it starts encrypting files. Upon detection, alerts are triggered, and the malware process is blocked and quarantined. The affected files are automatically restored so that the user doesn’t lose any critical document.
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.