Maze ransomware spread through the help of the SpelevoEK exploit. The exploit exploits a vulnerability, CVE-2018-15982 present in the versions of Flash Player 31.0.0.153 and 31.0.0.108. If exploited successfully, the exploit proceeds to automatically download and install the payload of Maze ransomware. Once the payload is installed, the ransomware modifies the extension of the files on the system and encrypts them using RSA-2048 encryption. It authors threaten to publish stolen data in order to increase pressure on the victim to pay ransom. To do this, ransomware operators begin to steal data before encrypting files. The Maze ransomware is a variant of ChaCha Ransomware.
Recently Maze authors claim that they have compromised data of Chubb.com an insurance giant, and threaten to public make available its data. Though the compnay has yet to respond but independent cyber security researcher claims that Chubb.com Citrix ADC (Netscaler) servers that were vulnerable to the CVE-2019-19871 vulnerability which the attacker might have exploited to gain a foothold in companies server and execute the ransomware.
Maze Ransomware Signatures
Family: Ransom:Win32/Maze!MTB
MD5: 21a563f958b73d453ad91e251b11855c
SHA256: 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
Maze Ransomware Download