A Malware Researcher's Guide to Reversing Maze Ransomware

Mihai NEAGU

March 30, 2020

Promo Protect all your devices, without slowing them down.
Free 30-day trial
A Malware Researcher's Guide to Reversing Maze Ransomware

At the end of May 2019, a new family of ransomware called Maze emerged into the gaping void left by the demise of the GandCrab ransomware.

Unlike run-of-the-mill commercial ransomware, Maze authors implemented a data theft mechanism to exfiltrate information from compromised systems. This information is used as leverage for payment and to transform an operational issue into a data breach.

In November 2019, the Bitdefender Active Threat Control team spotted spikes in reports of the ‘random’ process name being blocked from escalating privileges, by the Bitdefender Anti-Exploit module. We were curious about the executable, and how it tried to achieve System privileges.

Further investigation revealed that the process belongs to the Maze/ChaCha ransomware, so we took a deeper look.

We documented our findings in a whitepaper that attempts to shed some light on how Maze performs evasion, exploitation,obfuscation and finally, system encryption.

Sounds interesting? Download the whitepaper using the link below:

Download the whitepaper

tags


Author


Mihai NEAGU

Passionate about reverse engineering, Mihai worked on malware analysis and detection techniques in the past. Now he is doing research on exploit detection and mitigation for Windows applications.

View all posts

You might also like

Bookmarks


loader