Reading Time: 6 minutes
Maze creators threaten to publish the confidential data of victims unless the ransom is paid. Comodo Cyber Security team also find Equation group mutex in latest attack.
Ransomware took a sinister new turn in early 2020, evolving from a straightforward encrypt-then-extort model into a full-blown assault on a company’s data, secrets and reputation. The ‘traditional’ ransomware attack is a much-discussed model which has been covered extensively on this blog and by other publications. In brief, all files on a target system are locked with a strong encryption algorithm, and the user must pay the attacker a ransom fee to unlock them. No security software or computer expert can decrypt those files, making this one of the most dangerous attacks a company can face. Ransomware paralyses businesses who need their files for day-to-day operations and backs them into a corner where they must pay the fee or try to struggle on without access to their data.
Well, strange as it may seem, we might one day look back at ‘old ransomware’ with a sense of nostalgia and yearn for those simpler times. It seems the traditional attack was just the first steps of a criminal fraternity finding its feet with the encryption model, using it as a building block from which they can build even more effective attacks. Read on to find out why.
After a ransomware attack, some companies paid the fee to retrieve their data, but others decided to neither disclose the attack nor pay the ransom. They instead rebuilt their data from backups or by other means, and gradually got themselves back on track. It clearly annoyed the developers of Maze that some victims were simply ignoring all their hard work, so they set about creating a greater incentive for them to pay-up. This incentive came in the form of exfiltrating the company’s files and threatening to release them to the public if they didn’t pay the fee. Maze creators even went so far as to create a ‘shaming’ website which lists companies that have fallen prey to their ransomware but hadn’t yet paid the ransom.
This presents a particularly vicious double or even triple-whammy for the victim. Not only are their files inaccessible, a potentially crippling blow to organizations like hospitals and financial institutions, but now they risk their data being released to the public or sold to one of their competitors. Of course, this is an even greater headache for companies that are bound by customer-confidentiality laws. There’s also the loss of reputation and possible hit to stock-market valuation if the breach becomes public. Thirdly, if they had tried to hide the attack in the first place, they face getting swatted by regulations that require companies to disclose any breaches of this nature.
Not a pretty picture is it? Indeed, the FBI viewed Maze as such a serious threat that they issued a warning to businesses about it. With help from the Comodo Cyber Security team, this blog takes a closer look at the workings of the new Maze ransomware. One item of note off-the-top is the presence of the ‘prkMtx’ mutex object in the code. This object is used by the Equation Group’s exploitation library, ‘gPrivLibh’. For those of you who live outside the niche world of threat analytics, the Equation Group are a development team closely linked with the Stuxnet and Flame attacks. Many experts believe the group has ties to the NSA. The Maze developers obviously co-opted the mutex and put it to use in their ransomware, illustrating that ‘malware is malware’, no matter the subjective ‘good’ intentions of the original authors.
What is the Maze ransomware?
Maze ransomware, previously known as ChaCha, is distributed via malspam emails which have the malware as an attachment, via exploit kits like Spleevo and Fallout, and by cracking RDP connections that have weak passwords. Its payload is to encrypt all data on a victim’s drives with RSA-2048 encryption and the chacha20 stream cipher, then demand a ransom fee in order to decrypt the data. The image below shows the various extensions that Maze appends to encrypted files:
The malware then places a ransom message on the user’s desktop. Comodo’s researchers have identified the top 5 Maze communication servers are in Russia, Poland, Turkey, Netherlands and Austria:
Anatomy of a Maze attack
Maze is a highly sophisticated family which has strong multi-level exceptions and an anti-debugging techniques which block research teams from accessing the ransomware’s original content. The Comodo threat research team managed to overcome these barriers to unearth details not seen before.
There are three parts to the analysis:
A) IP list, web extensions and encoded URLs
B) File encryption process
C) Lock screen, decryption notes and decryption link
A) IP list, web extensions and encoded URLs
The Maze IP list includes 14 hard-coded IP addresses, indicating a wide distribution of servers. The addresses in the list are:
There are also 6 hard-coded web extensions – ‘.do’, ‘.jsp’, ‘.shtml’, ‘.html’, ‘.aspx’ and ‘.php’:
Maze uses the following URL formations (‘post/edit’ and ‘siginin/transfer’):
B) Ransomware file encryption process:
Maze creates an inventory of all files/folders on the system drive of the victim machine, and lists them in a file called ‘DECRYPT-FILES.html’:
The Comodo team checked the complexity of Maze’s encryption by running a test file through its encryption process. The file, named ‘~Test.txt’, underwent encryption involving API calls CreateFileW, ReadFile, CreateFileMappingW and MapViewOfFile:
The following screenshot shows the content of the file before encryption:
The post-encryption version and its hex dump is shown below:
C) Lock screen, decryption notes and decryption link
The Maze ransom note not only explains what has happened and how to pay, but spends a lot of time trying to ‘sell’ the payment route to the victim. The hackers seem to have realized that scary messaging and threats are a poor customer-conversion technique, and have moved onto more persuasive messaging to close the ‘sale’ earlier.
The lock screen tells the user that their files have been encrypted and touts the strength of the algorithms used. The page even encourages the user to research the algorithms in order to confirm their claims. This is presumably to accelerate payments by discouraging the user from wasting time trying to recover the files. As a dystopian sales technique, they also allow the victim to decrypt 3 files free to prove their decryptor works. The hope being that the user is more likely to pay if they have solid proof that the decryption process actually works:
The accompanying note reiterates the severity of the situation and contains detailed instructions on how to contact the hackers to make payment. The note is clear and well laid out, borrowing the style of mainstream FAQ pages with headings like ‘What happened?’ and ‘How do I get my files back?’:
The 2nd option in the note encourages the user to visit their information website at https://mazedecrypt.top/1b010b7e5a3ebe7d. Again, the site offers proof of a slick marketing operation with soothing messages to reassure the user that payment is the correct decision. Referring to victims as ‘customers’, it purports to be an independent support site dedicated to the noble mission of saving the user’s files:
The site asks the user to upload their ‘DECRYPT-FILES.txt’ file so the hackers can identify the victim.
No charges are openly stated for the decryption, rather stage 2 of the blackmail encourages the user to contact [email protected] and [email protected] to ‘negotiate’ a price:
Local Authorities Summon Bithumb Chairman Of The Board Over Alleged Fraud
Bithumb’s situation worsens as South Korean authorities have reportedly summoned company Chairman Lee Junh-hoon for alleged fraud regarding the sale of BXA tokens. This comes days after local police raided the exchange for the third time in less than a month.
Three Police Raids For Bithumb In September
September turns out to be a rather unpleasant month for the popular South Korea-based cryptocurrency exchange. As CryptoPotato reported earlier this month, the Intelligent Crime Investigation Unit of the Seoul Police raided the company’s headquarters under allegations for fraud.
Authorities alleged that the exchange sold its native BXA tokens to investors for over $25 million. Bithumb planned to list the token on its platform but reportedly failed to, resulting in a massive loss for investors.
Just five days after the first raid, the police conducted another one on September 7th. A police official purportedly said that authorities aim to secure additional evidence related to already existing allegations against Bithumb Korea and Bithumb Holdings Chairman of the Board – Lee Jung-hoon.
The plot thickened earlier this week when the Seoul Metropolitan Police Agency (SMPA) raided the exchange’s headquarters once again. This time, however, authorities took it a step further. They seized dozens of shares in Bithumb Holdings belonging to Bithumb Korea Director Kim Byung-Gun after receiving approval from the Seoul Central District Court.
Bithumb Chairman Summoned By Local Authorities
Earlier today, the state-run agency Yonhap reported that the SMPA had “summoned” Lee Junh-hoon. Apart from being the Chairman of the Board of Directors of Bithumb Holdings and Bithumb Korea, he is also the beneficial owner of Bithumb.
The report highlighted that BXA coin investors had sued both Lee Junh-hoon and Kim Byong-Gun for the financial losses suffered from the token sale. The authorities have also accused Junh-hoon of violating the Act on Aggravated Punishment for Specific Economic Crimes by fleeing South Korea.
Interestingly, while the investigation against Junh-hoon is ongoing, authorities haven’t conducted one against BK Group Chairman Kim Byung-Gun, despite both being accused of the alleged fraud.
Beware: Fake Uniswap (UNI) Token Giveaways Already Roaming the Internet
Cryptocurrency fake giveaway scams continue to emerge frequently, and the latest example involves the popular DEX protocol Uniswap. Just a day following the UNI token release, scammers began promoting fake UNI giveaways by impersonating Uniswap’s creator – Hayden Adams.
Fake UNI Giveaways On YouTube
As CryptoPotato reported yesterday, the popular decentralized token swap platform launched its long-anticipated native token called UNI. The announcement was accompanied by news that Uniswap will airdrop 15% of UNI’s total supply to users who had used it before September 1st. Naturally, this free token rush raised the community’s attention rather rapidly.
However, it appears that scammers were also keeping a close eye. It didn’t take long, and only a day after the UNI launch, unknown fraudsters initiated a fake UNI giveaway on the most widely-used video-sharing platform – YouTube.
In this case, the scammers created a fake Uniswap YouTube channel that supposedly has over 400,000 subscribers. They also launched a live video displaying 40,000 live viewers with the protocol’s creator – Hayden Adams.
Lastly, the classic scam is completed by offering to double all UNI tokens sent to a specific address. Meaning, that if users send 250 UNI to their address, the fraudsters promise to send back 500 UNI tokens.
Although it sounds like easy money, a more in-depth look reveals several issues and points out that it’s a classic scam. The YouTube channel has only two videos – both carrying the same fraudulent live stream, but the Google-owned platform has taken down the first one.
Additionally, the videos contain the same repeating old interview with Adams, where he says nothing about giving free UNI tokens. Last but not least, victims that fall for this scam and actually send coins to the provided addresses will not receive anything in return.
Growing Problem But Where’s The Solution?
Similar fake giveaways are a growing threat for the cryptocurrency field, its image, and, most importantly – users. Although they sound too good to be true, scammers continue doing them on several social media platforms, but mostly on YouTube.
This is where the main problem lies. The Google-owned platform has been previously criticized and even sued for not putting enough effort into fighting the scams. However, YouTube is frequently warning and banning legit cryptocurrency content creators as its logarithm fails to notice the differences.
Another social media giant Twitter also went through something similar recently. Attackers gained control over 130 accounts of famous individuals and companies and initiated a fake Bitcoin giveaway. Although Twitter stayed up front with the users and updated its security protocols, the platform was exploited once again a month later.
In any case, while social media platforms struggle to find the most appropriate solution, users need to be more cautious and vigilant. A general rule of thumb suggests that if something sounds too good to be true, it usually is. Also, there’s no such thing as free lunch.
Uniswap Activity Sends Ethereum Gas Fees Sky High
The issue of high Ethereum gas prices isn’t going away anytime soon. Just last month, total daily fees on the Ethereum network managed to reach an all-time high of $8.6 million.
Following a brief respite from high charges, the latest data from coinmetrics.io, for August 31, 2020, shows an alarming trend back towards that all-time high. Total daily fees for the end of last month reached $8.2 million.
Considering the activity that has taken place since then, it would be no surprise if the all-time high gets topped in the near future.
Ethereum daily gas fees. (Source: coinmetrics.io)
In line with expectations, this is a pattern repeated for average transaction fees. This time, the latest data shows average transaction fees hit $11.61 yesterday. While some way away from the all-time high of $14.58, set on September 2, 2020, it’s still an unacceptable part of the ERC-20 ecosystem.
More pressing than that, the situation poses serious questions about the sustainability of the Ethereum network.
Uniswap Airdrop Seen as a Kind Act of Generosity
Many blamed the mania surrounding DeFi for the high charges. In particular, the network activity that arose from the glut of newly launched tokens during that period.
With that in mind, things took a turn for the worse on Wednesday when decentralized exchange Uniswap surprised the community with the launch of their new $UNI governance token.
The firm has allocated 150 million tokens for distribution by airdrop. Each address that interacted with the Uniswap V1 & V2 protocol, before September 1, is eligible to claim 400 $UNI.
“Uniswap owes its success to the thousands of community members that have joined its journey over the past two years. These early community members will naturally serve as responsible stewards of Uniswap.”
The move was widely seen as a generous act on the part of Uniswap. Many praised the team for sharing their financial success with early adopters.
Amazon never gave you AMZN for buying books
Google never gave you GOOG for doing searches
Facebook never gave you FB for setting up a profile
Uniswap is giving you UNI for contributing liquidity
That’s the difference
— Ryan Sean Adams – rsa.eth 🏴 (@RyanSAdams) September 17, 2020
What’s more, it had the effect of stealing thunder from rival DEX Sushiswap, who was, up until that point, back on the ascendency following a change in management.
Following a deep selloff on the launch, the price of $UNI recovered. At the present time, one $UNI is priced at $5.16.
Uniswap 30 minute chart with volume. (Source: UNIUSDT on tradingview.com)
Uniswap Contracts Dominant Ethereum Network Activity
Despite Uniswap’s act of generosity, the effect on gas fees has been catastrophic.
Uniswap contracts account for four of the top 10 gas guzzlers on the Ethereum network. This includes the top spot, where the Uniswap V2 contract accounted for almost a quarter of the total gas used in the last 24-hours.
Top 10 gas guzzling contracts on the Ethereum network. (Source: etherscan.io)
The upshot of this situation is a terrible and costly experience for Ethereum users. Aside from high charges, many have vented their frustrations over stuck transactions, even having paid for the fast option.
This Uniswap thing has taught me…
Ethereum is awful to use for day to day transactions. I still have transactions ‘queued’ even though I have paid for ‘fast’ gas lol
I’m not meant for this DeFi craze. Just give me SIMPLE!
— They Call Me Jongo “I ♥️ CTP & HIVE 🐝” (@Jon_G_Olson) September 17, 2020
Solutions such as using layer 2 protocols, or waiting for ETH 2.0, doesn’t fit with the way the majority of people use the Ethereum network now. With that in mind, how long can Ethereum carry on like this?
Blockchain3 weeks ago
Market Wrap: Bitcoin’s Powell-Induced Price Swing; Ethereum Still High on Gas
Blockchain1 month ago
The US Post Office Files a Patent for a Blockchain-Based Voting System
Blockchain4 months ago
How to Identify the ‘Third Wave’ of Cannabis Investments
Blockchain2 months ago
Wealthfront Lures Millenials With Crypto Memes and Tactics
Blockchain2 months ago
Top Five Most Advanced Cryptocurrencies
Blockchain3 months ago
5 Tips to Interest the Press in Your Cannabis Business
Blockchain3 months ago
Top 5 Most Effective Cannabis Marketing Strategies
Blockchain8 months ago
What is Litecoin? | A Complete Beginners’ Guide