\u201cIt\u2019s definitely dead,\u201d says Tyler Moffitt, security analyst at Carbonite + Webroot, OpenText companies. \u201cAt least,\u201d he amends, \u201cfor now.\u201d<\/p>\n\n\n\n
Maze ransomware, which made our top 10 list for Nastiest Malware of 2020<\/a> (not to mention numerous headlines throughout the last year), was officially shut down in November of 2020. The ransomware group behind it issued a kind of press release<\/a>, announcing the shutdown and that they had no partners or successors who would be taking up the mantle. But before that, Maze had been prolific and successful. In fact, shortly before the shutdown, Maze accounted for an estimated 12%<\/a> of all successful ransomware attacks. So why did they shut down?<\/p>\n\n\n\n I sat down with Tyler to get his take on the scenario and find out whether Maze is well and truly gone.<\/p>\n\n\n\n Why do you think Maze was so successful?<\/strong><\/p>\n\n\n\n Maze had a great business model. They were the group that popularized the breach leak\/auction website. So, they didn\u2019t just steal and encrypt your files like other ransomware; they threatened to expose the data for all to see or even sell it at auction.<\/p>\n\n\n\n Why was this shift so revolutionary?<\/strong><\/p>\n\n\n\n The Maze group tended to target pretty huge organizations with 10,000 employees or more. Businesses that big are likely to have decent backups, so just taking the data and holding it for ransom isn\u2019t much of an incentive. Other than the leak sites, did they do anything else noteworthy or different from other groups?<\/strong><\/p>\n\n\n\n One of the bigger threat trends we saw in 2020 was malware groups partnering up for different pieces of the infection chain, such as Trojans, backdoors, droppers, etc. The botnet Emotet, for example, was responsible for a huge percentage of ransomware infections from various different groups. Maze, however, was pretty self-contained. We saw them working with a few other groups throughout 2020, but they had their own malspam campaign for delivery and everything else they needed in-house, so to speak. They were like a one-stop shop.<\/p>\n\n\n\n Do you think the move to remote work during the pandemic contributed to their success?<\/strong><\/p>\n\n\n\n Absolutely, though you could say that about any ransomware group. Phishing and RDP attacks really ramped up when people started working from home. Home networks and personal devices are generally much less secure than corporate ones, and cybercriminals are always looking for ways to exploit a given situation for their gain.<\/p>\n\n\n\n If Maze was doing so well, why did they shut down?<\/strong><\/p>\n\n\n\n Probably because they\u2019d gotten too much attention. The more notoriety you get, the harder it is to operate. We see this with a lot of malware groups. They shut down for a while, either to lie low because the heat is on, or to just spend the money they\u2019ve gotten from their payouts and enjoy life. Or, sometimes, they don\u2019t lie low at all but just rebrand themselves under a new name. Either way, they tend to come back. For example, a ransomware variant called Ryuk went dark and came back as Conti. Emotet went away for a long time too and then came back under the same group name.<\/p>\n\n\n\n How can you tell when an old group has rebranded?<\/strong><\/p>\n\n\n\n Unless they announce it in some way, the only way to really tell is if you can get a sample of the malware and reverse engineer it and look at the code. One of our threat researchers did that with a sample of Sodinokibi and discovered it had \u201cGandCrab version 6\u201d in its code. So, that\u2019s an example of a rebrand, but it can be hard to spot.<\/p>\n\n\n\n Do you think Maze is done for good?<\/strong><\/p>\n\n\n\n Not a chance. They attacked huge targets and got massive payouts. Most ransomware groups attack smaller businesses who are less likely to have strong enough security measures. Even the ones that targeted larger corporations, like Ryuk, still attacked businesses one-fifth the size of a typical Maze target. Now, the Maze group can relax and take a lavish vacation with all the money they got. But I\u2019d be pretty shocked if they just abandoned such a winning business model entirely.<\/p>\n\n\n\n The verdict: Maze may be gone for now, but experts are fairly certain we haven\u2019t seen the last of this virulent and highly successful malware group. In the meantime, Tyler advises businesses everywhere to use the lull as an opportunity to batten down their cyber resilience strategies by implementing layered security measures, locking down RDP, and educating employees on cybersecurity and risk avoidance.<\/p>\n\n\n\n Stay tuned for more ransomware developments right here on the Webroot blog.<\/p>\n","protected":false},"excerpt":{"rendered":" \u201cIt\u2019s definitely dead,\u201d says Tyler Moffitt, security analyst at Carbonite + Webroot, OpenText companies. \u201cAt least,\u201d he amends, \u201cfor now.\u201d Maze ransomware, which made our top 10 list for Nastiest Malware of 2020 (not to mention numerous headlines throughout the last year), was officially shut down in November of 2020. The ransomware group behind it […]<\/p>\n","protected":false},"author":151,"featured_media":30821,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/30819"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/151"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=30819"}],"version-history":[{"count":1,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/30819\/revisions"}],"predecessor-version":[{"id":30823,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/30819\/revisions\/30823"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/30821"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=30819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=30819"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=30819"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=30819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Now think about this: those huge businesses also would\u2019ve been subject to pricey fines for data breaches because of regulations like GDPR; and they\u2019re also more likely to have big budgets to pay a ransom. So, instead of simply saying, \u201cwe have your data, pay up,\u201d they said, \u201cwe have your data and if you don\u2019t pay, we\u2019ll expose it to the world \u2013 which includes the regulators and your customers.\u201d Most of the time, paying the ransom is going to be the more cost effective (and less embarrassing) option. We don\u2019t know if the Maze group invented this tactic, but they definitely set the trend, and a bunch of other ransomware groups started following it.<\/p>\n\n\n\n