Skip to content

S0449 Maze

Maze ransomware, previously known as “ChaCha”, was discovered in May 2019. In addition to encrypting files on victim machines for impact, Maze operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.123

Item Value
ID S0449
Associated Names
Version 1.2
Created 18 May 2020
Last Modified 24 January 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Maze has communicated to hard-coded IP addresses via HTTP.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Maze has created a file named “startup_vrun.bat” in the Startup folder of a virtual machine to establish persistence.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell The Maze encryption process has used batch scripts with various commands.13
enterprise T1486 Data Encrypted for Impact Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.1
enterprise T1568 Dynamic Resolution Maze has forged POST strings with a random choice from a list of possibilities including “forum”, “php”, “view”, etc. while making connection with the C2, hindering detection efforts.2
enterprise T1564 Hide Artifacts -
enterprise T1564.006 Run Virtual Instance Maze operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine’s configuration file mapped the shared network drives of the target company, presumably so Maze can encrypt files on the shared drives as well as the local machine.3
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.2 It has also disabled Windows Defender’s Real-Time Monitoring feature and attempted to disable endpoint protection services.3
enterprise T1070 Indicator Removal Maze has used the “Wow64RevertWow64FsRedirection” function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.2
enterprise T1490 Inhibit System Recovery Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.23
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Maze operators have created scheduled tasks masquerading as “Windows Update Security”, “Windows Update Security Patches”, and “Google Chrome Security Update” designed to launch the ransomware.3
enterprise T1106 Native API Maze has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.2
enterprise T1027 Obfuscated Files or Information Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis.2
enterprise T1027.001 Binary Padding Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.2
enterprise T1057 Process Discovery Maze has gathered all of the running system processes.2
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Maze has injected the malware DLL into a target process.23
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Maze has created scheduled tasks using name variants such as “Windows Update Security”, “Windows Update Security Patches”, and “Google Chrome Security Update”, to launch Maze at a specific time.3
enterprise T1489 Service Stop Maze has stopped SQL services to ensure it can encrypt any database.3
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec Maze has delivered components for its ransomware attacks using MSI files, some of which have been executed from the command-line using msiexec.3
enterprise T1082 System Information Discovery Maze has checked the language of the infected system using the “GetUSerDefaultUILanguage” function.2
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery Maze has checked the language of the machine with function GetUserDefaultUILanguage and terminated execution if the language matches with an entry in the predefined list.2
enterprise T1049 System Network Connections Discovery Maze has used the “WNetOpenEnumW”, “WNetEnumResourceW”, “WNetCloseEnum” and “WNetAddConnection2W” functions to enumerate the network resources on the infected machine.2
enterprise T1529 System Shutdown/Reboot Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.3
enterprise T1047 Windows Management Instrumentation Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization’s network.23

Groups That Use This Software

ID Name References
G0037 FIN6 1