At the end of May 2019, a new family of ransomware called Maze emerged into the gaping void left by the demise of the GandCrab ransomware.
Unlike run-of-the-mill commercial ransomware, Maze authors implemented a data theft mechanism to exfiltrate information from compromised systems. This information is used as leverage for payment and to transform an operational issue into a data breach.
In November 2019, the Bitdefender Active Threat Control team spotted spikes in reports of the ‘random’ process name being blocked from escalating privileges, by the Bitdefender Anti-Exploit module. We were curious about the executable, and how it tried to achieve System privileges.
Further investigation revealed that the process belongs to the Maze/ChaCha ransomware, so we took a deeper look.
We documented our findings in a whitepaper that attempts to shed some light on how Maze performs evasion, exploitation,obfuscation and finally, system encryption.
Sounds interesting? Download the whitepaper using the link below:
tags
Passionate about reverse engineering, Mihai worked on malware analysis and detection techniques in the past. Now he is doing research on exploit detection and mitigation for Windows applications.
View all postsJune 08, 2023
May 02, 2023
January 11, 2023
January 05, 2023