Archive for May, 2020

Maze: the ransomware that introduced an extra twist

An extra way to create leverage against victims of ransomware has been introduced by the developers of the Maze ransomware. If the victim is not convinced that she should pay the criminals because her files are encrypted, there could be an extra method of extortion. Over time, more organizations have found ways to keep safe copies of their important files or use some kind of rollback technology to restore their systems to the state they were in before the attack.

To have some leverage over these organizations, the ransomware attackers steal data from the infiltrated system while they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay. Depending on the kind of data, this can be a rather compelling reason to give in.

Maze introduces leaked data

In the last quarter of 2019, Maze’s developers introduced this new extortion method. And, as if ransomware alone wasn’t bad enough, since the introduction of this methodology, many other ransomware peddlers have started to adopt it. The most well-known ransomware families besides Maze that use data exfiltration as a side-dish for ransomware are Clop, Sodinokibi, and DoppelPaymer.

The dubious honor of being noted as the first victim went to Allied Universal, a California-based security services firm. Allied Universal saw 700MB of stolen data being dumped after they refused to meet the ransom demand set by Maze. Nowadays, most of the ransomware gangs involved in this double featured attack have dedicated websites where they threaten to publish the data stolen from victims that are reluctant to pay up.

Maze website
Website where the Maze operators publish the exfiltrated data of their “clients”.

Characteristics of Maze ransomware

Maze ransomware was developed as a variant of ChaCha ransomware and was initially discovered by Malwarebytes Director of Threat Intelligence Jérôme Segura in May of 2019. Since December of 2019, the gang has been very active making many high profile victims in almost every vertical: finance, technology, telecommunications, healthcare, government, construction, hospitality, media and communications, utilities and energy, pharma and life sciences, education, insurance, wholesale, and legal.

The main forms of distribution for Maze are:

  • malspam campaigns utilizing weaponized attachments, mostly Word and Excel files
  • RDP brute force attacks

Initially Maze was distributed through websites using an exploit kit such as the Fallout EK and Spelevo EK, which has been seen using Flash Player vulnerabilities. Maze ransomware has also utilized exploits against Pulse VPN, as well as the Windows VBScript Engine Remote Code Execution Vulnerability to get into a network.

No matter which method was used to gain a foothold in the network, the next step for the Maze operators is to obtain elevated privileges, conduct lateral movement, and begin to deploy file encryption across all drives. However, before encrypting the data, these operators are known to exfiltrate the files they come across. These files will then be put to use as a means to gain extra leverage, threatening with public exposure.

MAZE uses two algorithms to encrypt the files, ChaCha20 and RSA. After encryption the program appends a string of random 4-7 characters at the end of each file. When the malware has finished encrypting all the targeted files it changes the desktop wallpaper to this image:

In addition, a voice message is played to the user of the affected system, alerting them of the encryption.

IOCs for Maze ransomware

Maze creates a file called DECRYPT-FILES.txt in each folder that contains encrypted files. It skips some folders among which are:
• %windir%
• %programdata%
• Program Files
• %appdata%local

It also skips all the files of the following types:
• dll
• exe
• lnk
• sys

This ransom note called DECRYPT-FILES.txt contains instructions for the victim:

The ransom note explaining the attack and how to contact the cyber-criminals about getting files decrypted.

They then promise that:

After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files.

SHA 256 hashes:






Malwarebytes protects users with a combination of different layers including one that stops the attack very early on and is completely signature-less.

Besides using Malwarebytes, we also recommend to:

  • Deny access to Public IPs to important ports (RDP port 3389).
  • Allow access to only IPs which are under your control.
  • Along with blocking RDP port, we also suggest blocking SMB port 445. In general, it is advised to block unused ports.
  • Apply the latest Microsoft update packages and keep your Operating system and antivirus fully updated.


While our advice as always is not to pay the criminals since you are keeping their business model alive by doing so, we do understand that missing crucial files can be a compelling reason to pay them anyway. And with the new twist of publishing exfiltrated data that the Maze operators introduced, there is an extra reason at hand. Throwing confidential data online has proven to be an effective extra persuasion as many organizations can’t afford to have them publicly available.

Stay safe, everyone!

The post Maze: the ransomware that introduced an extra twist appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

The best test for an EDR solution is one that works for you

Since its inception, the endpoint detection and response (EDR) market has evolved rapidly with new innovations to better address the cyber landscape and meet customers’ needs for an effective and simple solution that just works.

But finding something that just works means something quite different for every business, depending on their size, security expertise, and requirements.

Collectively, the EDR market has experienced three, sizable waves of innovation:

Wave 1: event visibility

With the market introduction of EDR solutions, the first innovation wave focused on providing security teams with visibility into all events that happen in the organization.

The predominant use case of a “first wave” EDR product is for the end user to search among millions of events and hope to find the “needle in the haystack” event that was critical and actionable.

However, this type of detection and response approach failed to provide enough relevant context or actionable intelligence for it to be useful for organizations with a security team of any size or skill level. Instead, the first wave of EDR solutions were mainly adopted by organizations with extremely experienced incident response investigators and Security Operations Center (SOC) teams with level 3-trained analysts who could apply the EDR event visibility as an additional datapoint during an attack investigation.

Wave 2: event alerting

Most EDR products in the market today are second-innovation-wave offerings. To address the first wave’s “needle in the haystack” usability shortcomings, EDR products added alert capabilities alongside the vast sea of event visibility and context.

However, these EDR offerings are not fully automated and are known to cause alert fatigue as the alerts are not correlated to an actionable remediation process. The practical usage for incident response efforts require a SOC level 2 analyst to analyze and investigate each detection, in-depth, to determine if it is critical or actionable, before closing the ticket.

What has the third wave introduced?

The EDR market is beginning to see some vendors—in a third wave of innovation—largely focus on democratizing security with usability and automation enhancements that make EDR an effective tool for organizations large and small and with security teams of any skill level.

There have been several market drivers creating the need for this third wave. First, with advances in attacker tools, cyber criminals have expanded their attack targets from enterprise-sized organizations to equally include small- and medium-sized businesses. In fact, small business victims now account for 43% of all corporate data breaches according to Verizon’s 2019 Data Breach Investigation Report. In parallel, the market has continued to see a widening and unsustainable gap in the available cyber security staff, which (ISC)2 is now estimating at a global workforce shortage of 4.07 million.

With the number and severity of attacks increasing, combined with the pervasive lack of available or highly skilled cybersecurity staff, demand has increased for EDR solutions that can address these issues. Third-wave-EDR products strive to meet that need with the inclusion of:

  • Actionability

The third wave of EDR products finds us at the height of automation’s promise, raising only actionable alerts to the end user. The premise is that the visibility and context of the first and second EDR waves are important but shouldn’t get in the way of actionability. Without actionability, an EDR product becomes unusable by organizations that don’t have large or advanced security teams to investigate these tens of thousands of daily events.

  • Automation

This latest wave of EDR products has achieved the Herculean task of fully automating EDR—from detection through to remediation—to support small-to-medium organizations without a large security team, enabling them to benefit from the same advanced EDR technology that has been in use by organizations with trained security personnel.

  • Comprehensive security

Third wave EDR products provide a tightly integrated set of capabilities to effectively manage the attack chain—from proactive protection to detection of a suspicious activity and automated incident response. These capabilities create an ecosystem that informs, learns, and adapts from itself, so, in essence, the whole security stack is greater than the sum of the parts.

Third-party testing

With these waves of EDR innovations, how do third-party test labs play a role in the selection process?

To aide companies in their search, third-party evaluation and testing resources have been available to help prospective buyers narrow the field in vendor selection. The unique paradox with these resources is that the testing methodologies are designed with a specific and narrowly defined scope to “even the playing field,” which, in turn, typically renders the testing one step behind the latest, cutting-edge EDR innovation. This makes sense, of course, because test centers cannot adapt their standardized methodologies until after they have seen and understood the latest EDR advances.

Given that the EDR market has moved into its third wave, testing labs will also need to adapt their evaluation and testing criteria to incorporate these innovations.

For example:

  • Actionability vs. alert fatigue

Tests will need to discern between actionability and alert fatigue. The third wave of EDR products are focused on providing a customer-centric approach that makes security accessible and easy for organizations of all sizes, with security teams of all capabilities.

In terms of testing, that means avoiding alert fatigue by sharing only actionable detections found within suspicious activity—those that are most relevant to ultimately prevent an attack. These solutions provide additional drill-down search options to view detections if a security analyst wants to dig into them, and third-wave testing criteria should incorporate the concept of a “primary UI event notification” vs. a “secondary UI for searching additional detections.”

  • Testing the whole and not the separate parts for effectiveness

Tests will need to focus on the overall efficacy of the solution that evaluates the integrated EDR ecosystem of protection, detection, and remediation working together as they were designed for real world functionality, rather than creating artificial product deficits by shutting off part of the system, such as protection, in order to narrowly test detection capabilities.

How can companies navigate this reality?

Third-party tests are a good resource to understand how different solutions fair against a specific testing methodology. Yet, because the tests innovate a cycle behind the technology they’re intended to evaluate, ultimately, no standardized test is as good as doing a solid proof of concept in an organization’s live environment.

In the same way that companies turn to trusted colleagues and community resources—like Spiceworks and Reddit forums—when finding suggestions on good EDR solutions, third party tests provide a valuable, similar resource: to serve as a compass guide on the top group of EDR solutions to evaluate.

When evaluating EDR solutions, organizations should focus on selecting a vendor with a detection and remediation strategy that aligns with their objectives. Some criteria to consider when developing an EDR evaluation include:

  1. Identify the risks: where is all the sensitive data located and what are the routes to that data?
  2. Prioritize protection on the data that matters: sensitive organizational and customer data.
  3. Consider the level of available security expertise. Most organizations don’t have enough cyber security experts, so evaluations should look at the solution’s complexity level. Does it require additional integrations, have a complex UI, or need additional skillset to operate?
  4. Consider the organization’s brand and reputation in peer review sites, such as G2Crowd, Gartner Peer Insights, and Capterra.
  5. Choose the solution or solutions to evaluate that have the capabilities that align with the defined criteria.

In the end, once an organization has narrowed the field of EDR solutions to the group that they want to evaluate, nothing can replace the experience of conducting a live test to see how the product stands up in their unique environment, against their real-time attacks, and with their trusted team learning to navigate the solution to see how easy or difficult it is to manage.

EDR has grown at a blistering pace to do one thing—help you and your business detect, prevent, and remediate cyber threats. By better understanding the testing landscape today, you can better deliver on your EDR results tomorrow.

The post The best test for an EDR solution is one that works for you appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Coalition Against Stalkerware bulks up global membership

Today, the Coalition Against Stalkerware brought aboard 11 new organizations to address the potentially dangerous capabilities of stalkerware, an invasive, digital threat that can rob individuals of their expectation of, and right to, privacy. These types of apps can provide domestic abusers with a new avenue of control over their survivors’ lives, granting wrongful, unfettered access to text messages, phone calls, emails, GPS location data, and online browsing behavior.

Founded last year, the Coalition Against Stalkerware brings together cybersecurity vendors, domestic violence organizations, and digital rights advocates.

Since its launch, Coalition members have published updated statistics on stalkerware-type apps, conducted vital research on their popularity, and informed journalists about why this subject matters. Further, the Coalition’s founding cybersecurity members—including Malwarebytes—have worked together to share intelligence to improve their products. This month, Malwarebytes also offered a remote training about mobile device security for the San Mateo-based nonprofit Community Overcoming Relationship Abuse.  

Today, the Coalition grows larger and stronger. We welcome Anonyome Labs, AppEsteem Corporation, Bundesverband Frauenberatungsstellen und Frauennotrufe (bff), Centre Hubertine Auclert, Copperhead, Corrata, Commonwealth Peoples’ Association of Uganda, Cyber Peace Foundation, F-Secure, Illinois Stalking Advocacy Center, and AEquitas with its Stalking Prevention, Awareness, and Resource Center (SPARC).

With the new additions, the Coalition Against Stalkerware is now 21 partners strong, with participation in the United States, Canada, Ireland, India, Uganda, France, Germany, and Greece. We are also represented within a network of support groups spread across Switzerland, Bulgaria, Slovakia, Norway, Georgia, Moldova, Italy, Austria, Cyprus, and Bosnia.

This global support comes at a necessary time.

In late January, the world shifted. Continuously more governments implemented shelter-in-place orders to prevent the spread of coronavirus. These efforts are for the public’s safety—attempts to slow down an illness deadlier and more contagious than the flu. But for survivors of domestic abuse, harm comes not just from the outside world—sometimes it lives at the same address.

In China, the non-governmental organization Equality, which works to stop violence against women, reported increased call volume to its support hotline. In Spain, a similar uptick of 18 percent occurred. And in France, police reported a 30 percent surge in domestic violence across the nation.

These issues are worldwide. Support can be local.

The Coalition already depends on multidisciplinary expertise to better understand and address the threat of stalkerware. We lean on domestic abuse advocates to learn about why there is no one-size-fits-all solution to these problems, and why we, as cybersecurity vendors, should not presume that all domestic abuse survivors can comfortably access the malware-scanning tools we build. We lean on digital rights experts to inform us about how these types of potentially invasive apps intersect with the law, and potentially violate our rights. And we lean on one another in the cybersecurity industry to improve our products to detect stalkerware-type apps.

With today’s additions, we’re expanding our approach to multidisciplinary expertise. We are leaning on experts who support survivors in languages we sometimes don’t speak, and who, through decades of committed work, have built immeasurable trust within their communities beyond our current reach.

We work better when we work together.

The post Coalition Against Stalkerware bulks up global membership appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Lock and Code S1Ep7: Sounding the trumpet on web browser privacy with Pieter Arntz

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Pieter Arntz, malware intelligence researcher at Malwarebytes, about web browser privacy—an often neglected subcategory of data privacy. Without the proper restrictions, browsers can allow web trackers to follow you around the Internet, resulting in that curious ad seeming to find you from website to website. But, according to Arntz, there are ways to fight back.

Tune in for all this and more on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, on Google Play Music, plus whatever preferred podcast platform you use.

We cover our own research on:

Plus other cybersecurity news:

Stay safe, everyone!

The post Lock and Code S1Ep7: Sounding the trumpet on web browser privacy with Pieter Arntz appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Going dark: encryption and law enforcement

UPDATE, 05/22/2020: In the advent of the EARN IT Act, the debate on government subversion of encryption has reignited.  Given that the material conditions of the technology have not changed, and the arguments given in favor of the bill are not novel, we’ve decided to republish the following blog outlining our stance on the subject.

Originally published July 25, 2017

We’re hearing it a lot lately: encryption is an insurmountable roadblock between law enforcement and keeping us safe. They can’t gather intelligence on terrorists because they use encryption. They can’t convict criminals because they won’t hand over encryption keys. They can’t stop bad things from happening because bad guys won’t unlock their phones. Therefore—strictly to keep us safe—the tech industry must provide them with means to weaken, circumvent, or otherwise subvert encryption, all for the public good. No “backdoors”, mind you; they simply want a way for encryption to work for good people, but not bad. This is dangerous nonsense, for a lot of reasons.

1. It’s technically incorrect

Encryption sustains its value by providing an end to end protection of data, as well as what we call “data at rest.” Governments have asked for both means of observing data in transit, as well as retrieving data at rest on devices of interest. They also insist that they have no interest in weakening encryption as a whole, but just in retrieving the information they need for an investigation. From a technical perspective, this is contradictory gibberish. An encryption algorithm either encodes sensitive data or it doesn’t—the only method for allowing a third-party to gain access to plain-text data would be to either provide them with the private keys of the communicants in question or maintain an exploitable flaw in the algorithm that a third-party could take advantage of. Despite government protestations to the contrary, this makes intuitive sense: how could you possibly generate encryption secure against one party (hackers) but not another (government)? Algorithms cannot discern good intentions, so they must be secure against everyone.

2. They have a myriad of other options to get what they need

Let’s assume for a moment that a government entity has a reasonable suspicion that a crime has been committed, a reasonable certainty that a certain person did it, and a reasonable suspicion that evidence leading to a conviction lies on an encrypted device. Historically, government entities have not checked all these boxes before attempting to subvert decryption, but let’s give them the benefit of the doubt for the moment. Options available to various levels of law enforcement and/or intelligence include, but are not limited to:

  • Eavesdropping on unencrypted or misconfigured comms of a suspect’s contact
  • Collecting unencrypted metadata to characterize the encrypted data
  • Detaining the suspect indefinitely until they “voluntarily” decrypt the device
  • Geolocation to place the suspect in proximity to the crime
  • Link analysis to place the suspect in social contact with confirmed criminals
  • Grabbing unencrypted data at rest from compliant third party providers
  • Eavesdropping on other channels where the suspect describes the encrypted data
  • Wrench decryption

Given the panoply of tools available to the authorities, why would they need to start an investigation by breaking the one tool available to the average user that keeps their data safe from hackers?

3. They’re not really “going dark”

In 1993, a cryptographic device called the “clipper chip” was proposed by the government to encrypt data while holding private keys in a “key escrow” controlled by law enforcement. Rather than breaking the encryption, law enforcement would have simply had a decryption key available. For everyone. An academic analysis of why this was a stunningly bad idea can be found here.

Given that this program was shuttered in response to an overwhelmingly negative public opinion, has law enforcement and intelligence agencies been unable to collect data for the past 24 years? Or have they turned to other investigatory tools available to them as appropriate?

4. If we do give them a backdoor, what would they do with it?

1984-style heavy handed tactics are unlikely at present time, but a government breach that results in loss of control of the backdoor? Much more likely. The breach at OPM most likely endangered the information of up to a third of adult Americans, depending on who and how you count. (We don’t know for sure because the government didn’t say how they counted.) That breach involved data of sensitive, valuable, government employees. Would they do any better with a backdoor that impacts technology used by pretty much everyone?

No, they wouldn’t.

Let’s take a look at how they secure their own networks, post OPM. Oh dear….

If the most powerful and richest government in the world cannot secure their own classified data, why should we trust them with ours? The former head of the FBI once called for an “adult conversation” on encryption. We agree. So here’s a modest counter-proposal:

  • Stop over-classifying cyberthreat intelligence. The security community cannot fix what it does not know. Threat intelligence over a year old is effectively worthless.
  • Send subject matter experts to participate in ISACs, not “liaisons.”
  • Collaborate in the ISACs in good faith: shared intelligence should have context and collaboration should extend beyond lists of IOCs.
  • Exchange analytic tradecraft: analysts in the government often use techniques that while obscure, are not classified. This will improve tradecraft on both sides.
  • Meet the DHS standard for securing your own machines, classified or otherwise. No one would trust someone with a key escrow if those keys are held in a leaky colander.

We think these are reasonable requests that can help keep people safe, without breaking the encryption the world relies on daily to do business, conduct private conversations, and on occasion, express thoughts without fear of reprisal. We hope you agree.

The post Going dark: encryption and law enforcement appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →
Page 1 of 4 1234