Manitoba Law Firms Hit by Maze Ransomware

The Law Society of Manitoba recently revealed that two Manitoba-based law firms have been hit by Maze ransomware.

Over the past two weeks, the Law Society of Manitoba said, in a statement, that the two Manitoba-based law firms had told the Society that as a result of the attack, they haven’t been able to access their emails, computer files, accounting software and backups, including cloud backups. The Law Society of Manitoba added that the group behind the Maze ransomware asked the victims to pay an “enormous ransom” in order for the victims to regain access to any of their work. “At this point, we do not know when or if they will ever regain complete access to their kidnapped data,” the Society said.

In December 2019, another Manitoba-based company, the insurance and financial services company Andrew Agencies, confirmed that it too was hit by Maze ransomware. The company’s admission that it was a ransomware victim only came after the group behind the Maze ransomware named Andrew Agencies as one of its victims that didn’t pay the ransom that the group demanded.

Maze Ransomware

Maze ransomware, formerly known as ChaCha ransomware, was discovered in May 2019 by Jerome Segura. Like any other ransomware, Maze is a malicious software (malware) that aims to encrypt victims’ computers or device data and then demand from the victims ransom in exchange for the decryption keys that would unlock the encrypted computers or device data.

What makes Maze stand out from other ransomware is that it’s the first ransomware that publicly shames victims who refuse to pay ransom. In a website purposely built, the group behind Maze ransomware lists the names of organizations that the group said refused to pay ransom.

The group also said that the “shamed” organizations also refused to publicly acknowledge the ransomware attack. The group also threatens these shamed organizations to pay the ransom demanded, otherwise the data that the group stole prior to encrypting the victims’ data will be published. The group, in the past, has actualized this promise, publishing online stolen data.

Victims of ransomware attacks, in their official disclosures often claim that in ransomware attacks, data of clients or customers are safe due to the supposed inability by ransomware to access data. The naming of ransomware victims and the follow-up publication of stolen data showed that ransomware attackers, don’t merely encrypt data but they also steal data from victims. Other ransomware, such as Sodinokibi, Nemty, Clop and others have followed Maze’s example of naming victims and publishing stolen data in case of continued refusal to pay the ransom.

Preventive and Mitigating Measures Against Maze Ransomware

Below are the known tactics used by the group behind Maze ransomware. Below as well are the cybersecurity best practices to counter such tactics.

Spear Phishing Attacks

The group behind Maze ransomware has been known to use spear phishing campaigns to initially infiltrate victims’ networks. In spear phishing campaigns, attackers use malicious emails as an initial entry point to infiltrate the IT systems of specific individuals or specific groups.

In October 2019, Proofpoint researchers observed dozens of spear phishing emails directed at manufacturing companies in Italy. Email recipients were tricked into opening these emails as they masqueraded as coming from the Italian Ministry of Taxation and urged recipients to open and read the enclosed malicious Microsoft Word attachment in order to avoid further tax assessment and penalties. Opening the malicious attachment led to the downloading and installation of Maze ransomware, researchers at Proofpoint said.

Cybersecurity Best Practices Against Spear Phishing Campaigns

When in doubt about the legitimacy of the email’s source, don’t click. Call or email the sender using the previously known number or email address to confirm before ever clicking on a link or opening an attachment.

  1. Exploit Kits

The second known tactic used by the group behind Maze ransomware to initially compromise victims’ networks is through an exploit kit. The group has been known to use the exploits kits “Fallout” and “Spelevo”.

Discovered in August 2018, the Fallout exploit kit takes advantage of the security vulnerabilities in Adobe Flash Player and Microsoft Windows. A successful infection using the Fallout exploit kit allows an attacker to download additional malware onto the victims’ computers such as the Maze ransomware.

Discovered in early 2019, Spelevo exploit kit exploits a security vulnerability in Adobe Flash Player to drop a malware. A Microsoft Windows scheduled task is created during infection to make a malware persistent.

Cybersecurity Best Practice Against Exploit Kits

Keep all your software up to date using a proactive patching approach.

  1. RDP Brute Force Attacks

Remote Desktop Protocol (RDP) exposed to the internet is an attractive entry point for attackers as this entry point presents a simple and effective way to gain access to victims’ networks. RDP, a proprietary protocol developed by Microsoft, provides a user with a graphical interface to connect to another computer over a network connection.

The group behind the Maza ransomware has been known to gain access to victims’ networks by brute-forcing RDP. In a brute force attack, an attacker guesses the correct username and password combination through the trial-and-error method. Attackers typically use common usernames such as “administrator” and passwords sold or exposed online from other data breaches.

Cybersecurity Best Practices Against RDP Brute Force Attacks

Disable RDP when not needed; use strong username and password combination; use multi-factor authentication

When it comes to ransomware risk mitigation, there are many components that must be taken into consideration. GenX Solutions’ expert team helped hundreds of organizations mitigate and recover from ransomware attacks. Call us today (416) 920-3000 or email to avoid business interruptions and unnecessary costs.

Leave a Reply

Your email address will not be published. Required fields are marked *