Expert's Guide to Remove Maze Ransomware

Hello! Here’s Something about Maze Ransomware! 

This is to notify you regarding a recent Ransomware Attack ( Maze - Ransomware ) which affects one of the leading IT companies.

Based on some of your requests we created a Detail about the attack and Prevention. Hope this may help you to avoid cyber risks
and potential threats which are likely to create disruption in business.

Kindly read the below points which gives a high-level summary of the cybersecurity best practice and recommendations as detailed.

If you would like to know more about this Alert and fixes, please do get in touch with us at IARM Information Security |
info@iarminfo.com | https://www.iarminfo.com/

Synopsis

Like all ransomware, the main goal of the Maze is to encrypt all files that it can in an infected system and then demand a ransom
to recover the files. However, there are things that are not so common to Maze Ransomware that we need to know about 

1. Discovered on May the 29th 2019 by Jerome Segura. [Malware Wiki] 

2. The attacker threatens the victims that; if they do not pay, they will release the information on the Internet. Maze’s operators
have created a dedicated web page, which lists the identities of their non-cooperative victims and regularly publishes samples of
the stolen data. The maze has since published the details of dozens of companies.

 

3. Indicator Of Compromise (IOCs) that one of the recent victims has provided included the IP addresses of servers associated
with the kepstl32.dll, memes.tmp and maze.dll files, which are known to be used previously in Maze ransomware attacks.
Hence it is suspected that they could do targeted attacks, unlike wanacry which was designed to spread by exploiting
Eternal Blue vulnerability. 

4. As with many types of ransomware, there is an offer to decrypt three images for free and that service has been verified as working,
which shows the proof of decryption to lure the victim. 

A Brief Technical Details in 6 steps

1. The PEB field “IsDebuggerPresent”. This field is a Boolean field that is filled from Windows with 1 (True) if the application is running
inside of a debugger or 0 (False) if it is not. If the malware detects a debugger it will remain in an infinite loop without making anything
while wasting system resources. 

2. It can terminate IDA debugger, x32dbg, OllyDbg and more processes to avoid dynamic analysis, close databases,
office programs and security tools 

3. The malware tries to delete the shadow volumes in the system using the “wmic.exe” program with the switches “shadow copy” and “delete”. Prior to this, the malware gets the function of “WoW64DisableWow64FsRedirection” with “GetProcAddress” and uses it to avoid redirection by default in 64-bit operating systems and calls it in a dynamic way. 

4. The malware tries to delete the shadow copies two times, once before encrypting the files in the infected system and secondly after encrypting them. 

5. The malware uses two algorithms to encrypt the files, ChaCha which is based on the Salsa20 algorithm that is symmetric and, for protection, an RSA algorithm that is asymmetric.

6. In each execution, the malware creates a Public BLOB of one RSA key that will be used to crypt the part that holds the information to decrypt the files and one Private BLOB with an RSA key that allows decryption of the information encrypted with the public RSA blob created previously. For detailed information. [Ransomware Maze - Blog - By McAfee] 

Are you planning to reduce your existing expense in the Information/Cybersecurity domain? We can assure you that you will get a quality
service at less price. IARM Information Security, one of the few companies in India to focus exclusively on End-End Information
Security solutions and services.

Point of intrusion 

This Ransomware is known to spread via email attachments by using (spoofing) well known and trusted domain names 

Recommendation 

1. Notify end users to avoid opening any suspicious emails and open attachments from unknown sender/source.
The same goes for links in emails 

2. Update latest security Patch for all devices and OS 

3. Highly recommend to Implement SIEM tool and track security events 

4. Update latest Anti-Virus signature

5. Disable macros in Office programs and never enable them unless it is essential to do 

6. Backup all critical files using 3-2-1 rule. 3 backup copies on 2 different media with 1 backup in a separate location 

7. Disable RDP. If your organization must use RDP, avoid exposing it to the public internet. Only 

devices on the LAN or accessing via VPN, should be able to establish a remote session 

For the Security Operation Center 

MITRE ATT&CK TIDs 

These tactic ids provide stages of an attack that resembles the Maze and similar ransomware, it is highly recommended to
include it in SIEM and Log Analysis if these services are not being monitored. 

Indicators of Compromise (IOCs) 

If you have any queries, feel free to contact us  IARM Information Security | info@iarminfo.com | https://www.iarminfo.com/ 

Thanks and Regards

Stevin

CyberSecurity Company In Chennai |  Information Security company In Chennai | Cyber Attack Recovery Services In India |
VAPT Testing Company in Chennai | Penetration Testing Company In Chennai |  Penetration Testing Services | VAPT Services in Chennai |   
Business Continuity Management services in Chennai | soc2 audit company in Chennai  | Business Continuity Management services in Bangalore |  
BCP services in Chennai | Cyber Recovery Solution In India | Cybersecurity services in Bangalore | VAPT Company in Bangalore |
Penetration Testing Company in Bangalore

The Best Ever Solution for BUSINESS EMAIL COMPROMISE

Hello Folks! 

Email security is a difficult one and having many sides, there is no extraction
to protect an organisation from the cybercrime attack such as phishing threat. 

What is Phishing? 

Phishing is a technology and human problem that must be addressed by a combination of anti-phishing technology,
brand monitoring services, threat-intelligence services, staff phishing simulations and phishing awareness training. 

Business email compromise cases are  CEO email frauds, executives inboxes are compromised with emails

containing malicious links, designed to mine company data. 

Tips for how to identify BEC scam 

• Top Subject lines in BEC scam Emails:

-Payment -Request -Urgent -Attention -Important -Tax In. -Wire/transfer -Greetings 

• Top Attachment File Names in BEC scam Emails:

-Purchase order -Payment -Invoice -Slip -Receipt -Bill -Advice -Transfer 

HOW DO YOU PROTECT YOURSELF OR YOUR COMPANY? 

Cybercriminals monitor social media accounts (Linked.. Facebook. and Twitter) belonging to
executives/employees for any disclosure. 

Following that, IARM - Top cybersecurity Company in Chennai delivers the Vulnerability Assessment
and Penetration Testing services to protect the threads and cyber attacks. Advanced Penetration Testing
services for Artificial Intelligence and also delivers Pentesting for network, Cloud, Web and Mobile Application.

Businesses can take a number of steps to prevent Business Email Compromise MEC): 

-- Remove any sensitive online disclosures such as work emails and phone numbers. Avoid mentioning
the future whereabouts of company executives on social media accounts and company web pages. Executives
should hide their updates and posts from public view by increasing privacy settings. 

-- Marketing / Finance departments should use unique Email ID rather than using generic email id like
finance@, sales@, etc. This will prevent such attacks as it will be difficult to guess. 

-- Implement policies and procedures to handle emails requesting wire transfers or the release of sensitive
personally identifiable information. 

-- Use two-factor authentication in which approval of wire transfers will require two employees to authorize a
transaction. which increases the chances of detecting the scam. 

-- Educate organization people about BEE attacks. particularly executives or staff who have the authority to
release funds or critical information. 

If you want to know more about Information Security for your business, you can reach the Cybersecurity company in Chennai. 

Technology Used

Sender Policy Framework (SPS) 

It is an email validation system. designed to prevent unwanted emails using a spoofing system. It lookup the domain and
verifies that corresponding DomairOP is authorized to send an email for that Domain.

Does not prevent attackers from spoofing the "From" address. 

Domain Keys idengRed (DKIM) 

DKIM provides an encryption key and digital signature that verifies that an email message was not forged or altered but
this may not prevent attackers from spoofing the ‘From' address. 

Domain-based Message authentication, reporting, and conformance (DMARC) 

DMA, Verifies the “From” domain matches the 'Return-Path' domain checked by SPF. Verifies the “From” domain matches
the "d= domain name' in the DKIM signature. 

Get in touch with IARM to set up the technology part for any Organization. Visit: https://www.iarminfo.com/ and mail us at info@iarminfo.com for any queries

Thanks and Regards

Priya - IARM Information Security

CyberSecurity Company In Chennai |  Information Security company In Chennai | Cyber Attack Recovery Services In India | VAPT Testing Company in Chennai | Penetration Testing Company In Chennai |  Penetration Testing Services | VAPT Services in Chennai |   Business Continuity Management services in Chennai | soc2 audit company in Chennai  | Business Continuity Management services in Chennai |  BCP services |  Business Continuity Planning company | Cyber Recovery Solution In India | Cybersecurity services

BCP Webinar - Business Continuity Management Service

Business Continuity Management - Webinar | Business Continuity Plan BCP

What you will learn

• An overview of the comprehensive approach to business continuity model 
• How to identify potential crises which may affect your business 
• How to assess and evaluate the impact of those crises and disaster events
• How to identify business continuity strategies 
• How to develop a Business Continuity Plan for your business. 

The comprehensive approach to disaster management recognises four elements of emergency/disaster management 

The model anticipates crises and utilizes sequential planning and implementation of actions before, during and after an event. By following this approach you will be able to develop a business continuity plan for your business.

Also, Read BCP Simplified - Easy to Understand blog to know about the Business Continuity Plan

Thanks and Regards
Priya - IARM Information Security

Business continuity Management Service | Business continuity service provider | Business Continuity Management services in Chennai | BCP services | Business Continuity Planning company in Chennai | Cybersecurity Company In Chennai | Information Security company in Chennai 
| cybersecurity services

How to create Business Continuity Plan BCP in 11 Easy Steps

Business Continuity Planning Solutions lists out the necessary steps and relevant processes that
need to be put in use to identify and protect business processes required to maintain an acceptable level
of operations during a crisis.

Here, 12 steps to Start Building A Business Continuity Plan You Always Wanted and also helps to Develop an Effective Business Continuity measures

Few of the key steps are listed below:

1. A clear understanding of the Business and scope of operations (including geographical spread)
2. Where is the organization ‘positioned’ in the “Business Chain?”
3. Assign - Roles and Responsibilities of BC Team
4. Perform Business Impact Analysis (BIA) on key business processes (BIA is done Identify potential financial and non-financial impacts due to disruption in performing an activity/process and to arrive at Recovery Time frames)
5. Risk Analysis (RA) on enablers (or drivers), General threats, or On specific threats as identified in the organization’s context
6. Decide on Recovery Strategy (based on 4 & 5)
7. Arrive at resources needed to execute BCP (manpower, IT infra, Physical infra, Vendor support, monetary support, etc)
8. BCP (Business Continuity Plan) Document captures a sequence of actions that counteracts the risk that has materialized covering 6 Rs
9. Need to take Communication Plan with all
10. Training and Awareness on BCP to staff, associates, vendors
11. BCP exercising and Testing

It's Advised to read BCP Simplified! Easy to understand BCP for business owners. Here you get the in-depth of BCP and its importance of BCP.

Conclusion

As a business owner, you need to consider business continuity management service for any organisation which helps to avoid your business reputation and also business loss.

So, what do you think of BCP? Do you use it on your business? Have you thought about BCP for your business? Contact us @iarm and visit – https://www.iarminfo.com/business-continuity-plan-bcp

With regards,

Priya – IARM Information Security

Business Continuity Management services in Chennai, BCP services, Business Continuity Planning company, Cyber Security Company In Chennai, Information Security company In Chennai, cyber security service, Penetration Testing Company In Chennai, Penetration Testing Services, VAPT Services ‎in Chennai, soc2 audit company in chennai