Connect with us

Ransomware evolved – New Maze attack adds threat of data publication to existing ransomware model



Reading Time: 6 minutes

Maze creators threaten to publish the confidential data of victims unless the ransom is paid. Comodo Cyber Security team also find Equation group mutex in latest attack.

Ransomware took a sinister new turn in early 2020, evolving from a straightforward encrypt-then-extort model into a full-blown assault on a company’s data, secrets and reputation. The ‘traditional’ ransomware attack is a much-discussed model which has been covered extensively on this blog and by other publications. In brief, all files on a target system are locked with a strong encryption algorithm, and the user must pay the attacker a ransom fee to unlock them. No security software or computer expert can decrypt those files, making this one of the most dangerous attacks a company can face. Ransomware paralyses businesses who need their files for day-to-day operations and backs them into a corner where they must pay the fee or try to struggle on without access to their data.

Well, strange as it may seem, we might one day look back at ‘old ransomware’ with a sense of nostalgia and yearn for those simpler times. It seems the traditional attack was just the first steps of a criminal fraternity finding its feet with the encryption model, using it as a building block from which they can build even more effective attacks. Read on to find out why.

After a ransomware attack, some companies paid the fee to retrieve their data, but others decided to neither disclose the attack nor pay the ransom. They instead rebuilt their data from backups or by other means, and gradually got themselves back on track. It clearly annoyed the developers of Maze that some victims were simply ignoring all their hard work, so they set about creating a greater incentive for them to pay-up. This incentive came in the form of exfiltrating the company’s files and threatening to release them to the public if they didn’t pay the fee. Maze creators even went so far as to create a ‘shaming’ website which lists companies that have fallen prey to their ransomware but hadn’t yet paid the ransom.

This presents a particularly vicious double or even triple-whammy for the victim. Not only are their files inaccessible, a potentially crippling blow to organizations like hospitals and financial institutions, but now they risk their data being released to the public or sold to one of their competitors. Of course, this is an even greater headache for companies that are bound by customer-confidentiality laws. There’s also the loss of reputation and possible hit to stock-market valuation if the breach becomes public. Thirdly, if they had tried to hide the attack in the first place, they face getting swatted by regulations that require companies to disclose any breaches of this nature.

Not a pretty picture is it? Indeed, the FBI viewed Maze as such a serious threat that they issued a warning to businesses about it. With help from the Comodo Cyber Security team, this blog takes a closer look at the workings of the new Maze ransomware. One item of note off-the-top is the presence of the ‘prkMtx’ mutex object in the code. This object is used by the Equation Group’s exploitation library, ‘gPrivLibh’. For those of you who live outside the niche world of threat analytics, the Equation Group are a development team closely linked with the Stuxnet and Flame attacks. Many experts believe the group has ties to the NSA. The Maze developers obviously co-opted the mutex and put it to use in their ransomware, illustrating that ‘malware is malware’, no matter the subjective ‘good’ intentions of the original authors.

What is the Maze ransomware?

Maze ransomware, previously known as ChaCha, is distributed via malspam emails which have the malware as an attachment, via exploit kits like Spleevo and Fallout, and by cracking RDP connections that have weak passwords. Its payload is to encrypt all data on a victim’s drives with RSA-2048 encryption and the chacha20 stream cipher, then demand a ransom fee in order to decrypt the data. The image below shows the various extensions that Maze appends to encrypted files:

The malware then places a ransom message on the user’s desktop. Comodo’s researchers have identified the top 5 Maze communication servers are in Russia, Poland, Turkey, Netherlands and Austria:

Anatomy of a Maze attack

Maze is a highly sophisticated family which has strong multi-level exceptions and an anti-debugging techniques which block research teams from accessing the ransomware’s original content. The Comodo threat research team managed to overcome these barriers to unearth details not seen before.

There are three parts to the analysis:

A) IP list, web extensions and encoded URLs
B) File encryption process
C) Lock screen, decryption notes and decryption link

A) IP list, web extensions and encoded URLs

The Maze IP list includes 14 hard-coded IP addresses, indicating a wide distribution of servers. The addresses in the list are:

There are also 6 hard-coded web extensions – ‘.do’, ‘.jsp’, ‘.shtml’, ‘.html’, ‘.aspx’ and ‘.php’:

Maze uses the following URL formations (‘post/edit’ and ‘siginin/transfer’):

B) Ransomware file encryption process:

Maze creates an inventory of all files/folders on the system drive of the victim machine, and lists them in a file called ‘DECRYPT-FILES.html’:

The Comodo team checked the complexity of Maze’s encryption by running a test file through its encryption process. The file, named ‘~Test.txt’, underwent encryption involving API calls CreateFileW, ReadFile, CreateFileMappingW and MapViewOfFile:



The following screenshot shows the content of the file before encryption:

The post-encryption version and its hex dump is shown below:


C) Lock screen, decryption notes and decryption link

The Maze ransom note not only explains what has happened and how to pay, but spends a lot of time trying to ‘sell’ the payment route to the victim. The hackers seem to have realized that scary messaging and threats are a poor customer-conversion technique, and have moved onto more persuasive messaging to close the ‘sale’ earlier.

The lock screen tells the user that their files have been encrypted and touts the strength of the algorithms used. The page even encourages the user to research the algorithms in order to confirm their claims. This is presumably to accelerate payments by discouraging the user from wasting time trying to recover the files. As a dystopian sales technique, they also allow the victim to decrypt 3 files free to prove their decryptor works. The hope being that the user is more likely to pay if they have solid proof that the decryption process actually works:


The accompanying note reiterates the severity of the situation and contains detailed instructions on how to contact the hackers to make payment. The note is clear and well laid out, borrowing the style of mainstream FAQ pages with headings like ‘What happened?’ and ‘How do I get my files back?’:

The 2nd option in the note encourages the user to visit their information website at Again, the site offers proof of a slick marketing operation with soothing messages to reassure the user that payment is the correct decision. Referring to victims as ‘customers’, it purports to be an independent support site dedicated to the noble mission of saving the user’s files:

The site asks the user to upload their ‘DECRYPT-FILES.txt’ file so the hackers can identify the victim.
No charges are openly stated for the decryption, rather stage 2 of the blackmail encourages the user to contact [email protected] and [email protected] to ‘negotiate’ a price:

The post Ransomware evolved – New Maze attack adds threat of data publication to existing ransomware model appeared first on Comodo News and Internet Security Information.



Local Authorities Summon Bithumb Chairman Of The Board Over Alleged Fraud



Bithumb’s situation worsens as South Korean authorities have reportedly summoned company Chairman Lee Junh-hoon for alleged fraud regarding the sale of BXA tokens. This comes days after local police raided the exchange for the third time in less than a month.

Three Police Raids For Bithumb In September

September turns out to be a rather unpleasant month for the popular South Korea-based cryptocurrency exchange. As CryptoPotato reported earlier this month, the Intelligent Crime Investigation Unit of the Seoul Police raided the company’s headquarters under allegations for fraud.

Authorities alleged that the exchange sold its native BXA tokens to investors for over $25 million. Bithumb planned to list the token on its platform but reportedly failed to, resulting in a massive loss for investors.

Just five days after the first raid, the police conducted another one on September 7th. A police official purportedly said that authorities aim to secure additional evidence related to already existing allegations against Bithumb Korea and Bithumb Holdings Chairman of the Board – Lee Jung-hoon.

The plot thickened earlier this week when the Seoul Metropolitan Police Agency (SMPA) raided the exchange’s headquarters once again. This time, however, authorities took it a step further. They seized dozens of shares in Bithumb Holdings belonging to Bithumb Korea Director Kim Byung-Gun after receiving approval from the Seoul Central District Court.

You Might Also Like:

Bithumb Chairman Summoned By Local Authorities

Earlier today, the state-run agency Yonhap reported that the SMPA had “summoned” Lee Junh-hoon. Apart from being the Chairman of the Board of Directors of Bithumb Holdings and Bithumb Korea, he is also the beneficial owner of Bithumb.

The report highlighted that BXA coin investors had sued both Lee Junh-hoon and Kim Byong-Gun for the financial losses suffered from the token sale. The authorities have also accused Junh-hoon of violating the Act on Aggravated Punishment for Specific Economic Crimes by fleeing South Korea.

Interestingly, while the investigation against Junh-hoon is ongoing, authorities haven’t conducted one against BK Group Chairman Kim Byung-Gun, despite both being accused of the alleged fraud.

Binance Futures 50 USDT FREE Voucher: Use this link to register & get 10% off fees and 50 USDT when trading 500 USDT (limited – first 200 sign-ups & exclusive to CryptoPotato).

Click here to start trading on BitMEX and receive 10% discount on fees for 6 months.


Continue Reading


Beware: Fake Uniswap (UNI) Token Giveaways Already Roaming the Internet



Cryptocurrency fake giveaway scams continue to emerge frequently, and the latest example involves the popular DEX protocol Uniswap. Just a day following the UNI token release, scammers began promoting fake UNI giveaways by impersonating Uniswap’s creator – Hayden Adams.

Fake UNI Giveaways On YouTube

As CryptoPotato reported yesterday, the popular decentralized token swap platform launched its long-anticipated native token called UNI. The announcement was accompanied by news that Uniswap will airdrop 15% of UNI’s total supply to users who had used it before September 1st. Naturally, this free token rush raised the community’s attention rather rapidly.

However, it appears that scammers were also keeping a close eye. It didn’t take long, and only a day after the UNI launch, unknown fraudsters initiated a fake UNI giveaway on the most widely-used video-sharing platform – YouTube.

In this case, the scammers created a fake Uniswap YouTube channel that supposedly has over 400,000 subscribers. They also launched a live video displaying 40,000 live viewers with the protocol’s creator – Hayden Adams.

Lastly, the classic scam is completed by offering to double all UNI tokens sent to a specific address. Meaning, that if users send 250 UNI to their address, the fraudsters promise to send back 500 UNI tokens.

You Might Also Like:
UNI Fake Giveaway. Source: YouTube
UNI Fake Giveaway. Source: YouTube

Although it sounds like easy money, a more in-depth look reveals several issues and points out that it’s a classic scam. The YouTube channel has only two videos – both carrying the same fraudulent live stream, but the Google-owned platform has taken down the first one.

Additionally, the videos contain the same repeating old interview with Adams, where he says nothing about giving free UNI tokens. Last but not least, victims that fall for this scam and actually send coins to the provided addresses will not receive anything in return.

Growing Problem But Where’s The Solution?

Similar fake giveaways are a growing threat for the cryptocurrency field, its image, and, most importantly – users. Although they sound too good to be true, scammers continue doing them on several social media platforms, but mostly on YouTube.

This is where the main problem lies. The Google-owned platform has been previously criticized and even sued for not putting enough effort into fighting the scams. However, YouTube is frequently warning and banning legit cryptocurrency content creators as its logarithm fails to notice the differences.

Another social media giant Twitter also went through something similar recently. Attackers gained control over 130 accounts of famous individuals and companies and initiated a fake Bitcoin giveaway. Although Twitter stayed up front with the users and updated its security protocols, the platform was exploited once again a month later.

In any case, while social media platforms struggle to find the most appropriate solution, users need to be more cautious and vigilant. A general rule of thumb suggests that if something sounds too good to be true, it usually is. Also, there’s no such thing as free lunch.

Binance Futures 50 USDT FREE Voucher: Use this link to register & get 10% off fees and 50 USDT when trading 500 USDT (limited – first 200 sign-ups & exclusive to CryptoPotato).

Click here to start trading on BitMEX and receive 10% discount on fees for 6 months.


Continue Reading


Uniswap Activity Sends Ethereum Gas Fees Sky High



The issue of high Ethereum gas prices isn’t going away anytime soon. Just last month, total daily fees on the Ethereum network managed to reach an all-time high of $8.6 million.

Following a brief respite from high charges, the latest data from, for August 31, 2020, shows an alarming trend back towards that all-time high. Total daily fees for the end of last month reached $8.2 million.

Considering the activity that has taken place since then, it would be no surprise if the all-time high gets topped in the near future.

Ethereum daily gas fees

Ethereum daily gas fees. (Source:

In line with expectations, this is a pattern repeated for average transaction fees. This time, the latest data shows average transaction fees hit $11.61 yesterday. While some way away from the all-time high of $14.58, set on September 2, 2020, it’s still an unacceptable part of the ERC-20 ecosystem.

More pressing than that, the situation poses serious questions about the sustainability of the Ethereum network.

Average transaction fees on the Ethereum network


Uniswap Airdrop Seen as a Kind Act of Generosity

Many blamed the mania surrounding DeFi for the high charges. In particular, the network activity that arose from the glut of newly launched tokens during that period.

With that in mind, things took a turn for the worse on Wednesday when decentralized exchange Uniswap surprised the community with the launch of their new $UNI governance token.

The firm has allocated 150 million tokens for distribution by airdrop. Each address that interacted with the Uniswap V1 & V2 protocol, before September 1, is eligible to claim 400 $UNI.

“Uniswap owes its success to the thousands of community members that have joined its journey over the past two years. These early community members will naturally serve as responsible stewards of Uniswap.”

The move was widely seen as a generous act on the part of Uniswap. Many praised the team for sharing their financial success with early adopters.

What’s more, it had the effect of stealing thunder from rival DEX Sushiswap, who was, up until that point, back on the ascendency following a change in management.

Following a deep selloff on the launch, the price of $UNI recovered. At the present time, one $UNI is priced at $5.16.

Uniswap 30 min chart

Uniswap 30 minute chart with volume. (Source: UNIUSDT on

Uniswap Contracts Dominant Ethereum Network Activity

Despite Uniswap’s act of generosity, the effect on gas fees has been catastrophic.

Uniswap contracts account for four of the top 10 gas guzzlers on the Ethereum network. This includes the top spot, where the Uniswap V2 contract accounted for almost a quarter of the total gas used in the last 24-hours.

Top 10 gas guzzling contracts on the Ethereum network. (Source:

The upshot of this situation is a terrible and costly experience for Ethereum users. Aside from high charges, many have vented their frustrations over stuck transactions, even having paid for the fast option.

Solutions such as using layer 2 protocols, or waiting for ETH 2.0, doesn’t fit with the way the majority of people use the Ethereum network now. With that in mind, how long can Ethereum carry on like this?


Continue Reading