Maze And Egregor Ransomware

    Prevent RaaS ransomware attacks by partnering with a cybersecurity provider like Mimecast.
    Overview

    Understanding RaaS ransomware attacks

    Emerging in 2019, Maze ransomware was a type of ransomware that targets Windows-based operating systems across a variety of industries. The ransomware compromised and locked up data, often demanding ransom payment in the form of bitcoin to release the data.

    Following a self-reported shutdown from its creators, Maze allegedly suspended operations in 2020, but soon after, subsequent RaaS (ransomware-as-a-service) “successors” such as Egregor ransomware emerged to follow suit.  

    In this article we will cover how RaaS such as Maze ransomware works, how it infiltrates organizations, and what can be done to prevent ransomware attacks.

     

    GettyImages-1135088883-1200px.jpg

     

    What is RaaS?

    Ransomware as a Service (Raas) is a subscription-based model that enables cybercriminal affiliates to use already-developed ransomware tools to execute ransomware attacks. Many attacks deploy evolved forms of previously deployed ransomware, namely Maze ransomware which evolved into well-known cybersecurity threats such as Egregor ransomware.

     

    How did Maze ransomware work?

    Maze ransomware first infiltrates the network, often with email phishing campaigns where emails containing malware links or downloadable malware is disguised as a Microsoft Word or Excel document.

    Maze has also been known to infiltrate networks via RDP brute force attacks, which often successfully exploit weak passwords.

    Once Maze has infiltrated the network, its cyberattackers work to gain elevated privileges within the network so that they can distribute the malware to other computers and compromise as much data as possible.

    Once they’ve compromised the data, they exfiltrate it to servers that are controlled by cyberattackers.

     

    How did Maze exfiltrate data?

    Exfiltrating data means moving data outside of a trusted and protected network. Maze achieves this by using a file transfer protocol (FTP) which then copies the files to another server and encrypts them. This means the victims will be locked out of having access to their files as well as where the files are stored.

     

    What was the Maze ransomware website?

    Maze operated a website where they regularly published compromised data to prove their cyberattacks were successful, and to punish those who didn’t pay ransom.

    In 2020 Maze announced on its own website that it would be shutting down, but many suspect the operators of Maze are still at large and operating under different names.

     

    Where did Maze ransomware come from?

    It is unclear where Maze ransomware comes from exactly, but widely suspected that Maze group is part of a vast network of cybercriminal affiliates who also develop other types of malware.

    What has been clear is that Maze ransomware has paved the way for RaaS successors, namely Egregor, which emerged shortly after Maze shut down in 2020.

     

    Egregor ransomware attacks

    A “child” of Maze and Sekhmet ransomware families, Egregor began operating in September of 2020 and was largely deployed and distributed by Maze affiliates. One of the most notable differences is that Egregor ransomware would not only render files and programs ineffective, but the operators would also publish compromised data if a ransom was not paid in three days.

    This double-extortion tactic quickly made Egregor a force to be reckoned with, with the highest recorded cost of Egregor ransom reaching $4 million.

    Egregor had a six-month run before being taken down by the FBI and Ukrainian authorities. It is widely suspected that Egregor will soon resurface under a different name.

     

    Why a RaaS ransomware is so dangerous to healthcare

    Cyberattackers prey on the vulnerabilities of all organizations who need to protect sensitive data, and healthcare organizations often have a plethora of patients’ medical information that must remain protected. Cyberattackers can threaten to sell, publish, or otherwise share HIPAA-protected information that they gain access to, putting victims of such cyberattacks in a very difficult position.

    Notwithstanding cyberattacks, the importance of maintaining HIPAA compliance poses a unique challenge to the healthcare industry, but there are ways to remain HIPAA compliant without sacrificing convenience of communication and ease of operation—and also protecting the organization from cyberattackers.

    For example, cybersecurity services like Mimecast that offer HIPAA-compliant communication channels in order to protect information even as it’s sent over email. When considering a cybersecurity service provider, healthcare organizations will do well to work with one who can understand and adhere to HIPAA compliance.

     

    Should you pay the ransom for RaaS ransomware attacks?

    It is generally advisable to not pay the ransom for any ransomware attacks, as there is no guarantee that criminals will honor the ransom. In addition, paying the ransom will not stop them from continuing to sell or display compromised data.

    Always be sure to report ransomware attacks to the appropriate authorities.

     

    How Mimecast can help prevent RaaS ransomware attacks

    While it’s nearly impossible to avoid ransomware altogether, the best way to mitigate damage from ransomware attacks is to partner with a cybersecurity service provider like Mimecast.

    • Cybersecurity services enable convenient data protection and backup without compromising seamless communication and operation within your organization.
    • Security awareness training that empowers your teams to protect your organization
    • Backup your data with Mimecast's cloud security.

    To learn more about how Mimecast can help prevent ransomware attacks schedule a demo.

    Back to Top