A Malware Researcher's Guide to Reversing Maze Ransomware

At the end of May 2019, a new family of ransomware called Maze emerged into the gaping void left by the demise of the GandCrab ransomware.
Unlike run-of-the-mill commercial ransomware, Maze authors implemented a data theft mechanism to exfiltrate information from compromised systems. This information is used as leverage for payment and to transform an operational issue into a data breach.
In November 2019, the Bitdefender Active Threat Control team spotted spikes in reports of the ‘random’ process name being blocked from escalating privileges, by the Bitdefender Anti-Exploit module. We were curious about the executable, and how it tried to achieve System privileges.
Further investigation revealed that the process belongs to the Maze/ChaCha ransomware, so we took a deeper look.
We documented our findings in a whitepaper that attempts to shed some light on how Maze performs evasion, exploitation,obfuscation and finally, system encryption.
Sounds interesting? Download the whitepaper using the link below:
tags
Author
Right now
Top posts
Vulnerabilities Identified in Wyze Cam IoT Device
March 29, 2022
New FluBot and TeaBot Global Malware Campaigns Discovered
January 26, 2022
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately
December 10, 2021
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand
November 08, 2021
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware
September 16, 2021
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
July 21, 2021