Maze — the file-encrypting virus that keeps copies of stolen data from its corporate victims for blackmailWhat is Maze ransomware?Criminals behind the malware have their own websiteHow much data is stolen during the attack?Should the firm pay the ransom?Ransomware SummaryHow did my company get infected with ransomware?What are the ways to protect the company from crypto-malware attacks?Will Maze virus removal help to protect and decrypt data?
What is Maze ransomware?
Maze is a ransomware-type infection that uses cryptographic algorithms to encrypt information on the affected system. It employs symmetric ChaCha (based on Salsa20) and asymmetric RSA-2048 algorithms for protection and data encryption. In other terms, victims are unable to open or use any important data on the infected computer and on others that are connected through the intranet. Usually, almost all files with the most widely used extensions, such as .doc or .jpg are encrypted and no longer accessible to the users. However, this ransomware avoids files with .lnk, .exe, .sys, and .dll extensions. Also, it avoids modifying the following folders: Games, ProgramData, Low\Content.IE5, All Users, AppData\Local, Windows main directory, Tor Browser, cache2\entries, User Data\Default\Cache, Local Settings, and Program Files. Furthermore, Maze malware does not encrypt files marked with .inf, .ini, .db, .dat.log, .bin, .dat, .bak extensions and DECRYPT-FILES.txt ransom note. Although, it does crypt ntuser.ini file to stop other ransomware from encrypting it. This particular file is used to create and drop the ransom note in every folder that it can. Finally, after the encryption is done, this cyber threat changes the desktop wallpaper to inform victims about the attack and urges to follow the instructions on the ransom note file.
Criminals behind the malware have their own website
The ransom note by this malware contains two links — URL address to the payment page that should be accessed via the Tor Browser and another address to the website owned by Maze developers. Attackers specify that victims should first try to open the payment site. In case they are unable to do so, they can visit an official website created by cybercriminals for further instructions. The indicated page for payments uses a unique victim’s ID to generate the amount of money that should be transferred to the attackers. Criminals demand to pay for example $300 in Bitcoins and give a 50% discount if the victim pays up within the first 7 days of the attack. Security researchers note that the price can differ on a case-by-case basis. Also, they offer 3 test decrypts up to 2 MB for proof. Analyzing further, the official Maze support system website is specified to be used only if the victim cannot reach the payment page. In this website, criminals ask to upload the victim’s DECRYPT-FILES.txt file to tie it to the unique ID and collect the payment. They discourage users from waiting for verified Maze decryption tools since it would supposedly take ages to crack the algorithm. Finally, the developers of malware use another page to expose the names of their victims that refused to pay the ransom. Since many large scale businesses try to hide security breaches, the attackers aim to expose that. They indicate the date of the infection and offers to download stolen data as evidence of the breach. People are encouraged to share this information via social media link buttons.
How much data is stolen during the attack?
Security researchers cannot indicate the exact amount of information that is stolen during the breach. Although, cybercriminals claim that they usually collect over 100 GB of data from the single victim. Sometimes they are lucky enough to even get 1 TB of commercial and private documents. Attackers specify that they search for data marked with non-disclosure agreements (NDA) in order to use it as a base for a lawsuit against the victimized company. Thus, Maze ransomware removal might not help to fix the damage. Corporations are threatened since not paying the ransom is stated to lead to a release of public data of the breach to the media, an upload of stolen data on the darknet for sell, informing the stock exchanges about the sensitive data leak, usage of the stolen data to attack company partners and clients. This is the reason why Maze ransomware virus is so successful and generates enormous profits from various well-known companies, including IT services giant Cognizant, UK medical firm Hammersmith Medicines Research (HMR), security staffing company Allied Universal, and others.
Should the firm pay the ransom?
This is probably one of the hardest decisions that the victimized firm could make. Everyone should bear in mind that if companies keep paying up to the criminals, they will only be encouraged to launch similar ransomware attacks in the future. Monetary benefits gained from the infections act as a very strong motivator for the attackers. Therefore, paying the ransom starts a never-ending circle of ransomware attacks for all types of businesses and even individual computer users. However, your company has to weight all the potential consequences of sensitive information loss and exposure. If the board agrees that keeping private data from the public is crucial, you might need to follow the demands of the cybercriminals. Although, it is essential to investigate how did the brach happen and find all loopholes to patch them. Many large scale businesses have their own IT security departments and install various professional security tools to protect the systems and train their employees. For example, some ransomware-type threats can be eliminated with tools like INTEGO.
Ransomware Summary
How did my company get infected with ransomware?
Usually, developers of file-encrypting viruses that target business giants try to use unpatched vulnerabilities on firms’ computers, brute force weak passwords on remote desktop connections, or release widely employed malicious spam e-mail campaigns. These are the most common Maze virus distribution tactics that lead to successful ransomware infiltrations. Although, employees should bear in mind that the firm can get infected by a partner company or clients whose computers were attacked by this cyber threat prior. This is a less known spread technique since not many file-encrypting viruses use infected devices to further spread the infection. Everyone within the firm should be very careful.
What are the ways to protect the company from crypto-malware attacks?
Firstly, it is essential for the IT department to update all systems within the organizations with the latest patches for discovered vulnerabilities. Also, the security team should run regular system check-ups for various minor computer infections, such as potentially unwanted programs (PUPs) since they might help infiltrate ransomware-type viruses. Secondly, every member of the company should be aware that passwords must be unique, contain various numbers, characters, and symbols so that they would be very hard to crack. None of the staff should use the same password on multiple accounts or systems as it puts all firm’s security at risk. Additionally, it is wise to enable two-factor authentication (2FA) where possible. Furthermore, the company should not keep making offsite backup copies of their data regularly but also encrypt it for safety. If you cannot encrypt some documents for certain reasons, at least encode the most valuable information that could be used against the company’s interests and lead to damaging consequences. Finally, the employees should receive regular training on how to spot malicious spam e-mails or infected links and work with electronic devices safely. In most cases, ransomware infiltration is caused by the human factor that cannot be eliminated even with the most powerful security tools. Thus, train your staff to avoid such cyber attacks.
Will Maze virus removal help to protect and decrypt data?
Unfortunately, if you remove Maze ransomware virus, the attackers will still be ahold of your firm’s sensitive data. During the attack, cybercriminals extract the most valuable documents on the remote server that only they have access to. Therefore, malware elimination will not help to take back the stolen data from the crooks. Additionally, Maze removal will not restore the encrypted data to the primary state. For that, you must either have a unique decryption tool or restore your files using the latest backup copy on the Cloud. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Alternative software recommendations
Malwarebytes Anti-Malware
Method 1. Enter Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it: Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users Now, you can search for and remove ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future. Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.