Solution Modules	Solution Available	Pattern Branch	Release Date	Detection/Policy/Rules
URL Protection	Yes	In the Cloud	Malware Accomplice, Disease Vector, Ransomware
Predictive Learning (TrendX)	TROJ.Win32.TRX.XXPE50FFF034
Ransom.Win32.TRX.XXPE50FFF034
BKDR.Win32.TRX.XXPE50FFF034
File detection (VSAPI/Smart Scan) and Advanced Threat Scan Engine (ATSE)	15.529.00	10/12/2019	Ransom.Win32.MAZE.H
Ransom.Win32.MAZE.THKBIAI
Ransom_Gen.R011C0PKA19
Ransom_Maze.R002C0DC720
Ransom_Instructions.R002C0PCK20
Ransom.Win32.MAZE.THJBBAI
Ransom.Win32.MAZE.SMDA
TROJ_GEN.USMGAHAL
Ransom.Win32.MAZE.G
Ransom.Win32.MAZE.C
Ransom_Mazedec.R002C0DDE20
Trojan.Win32.SMOKELOAD.SMD2.hp
Ransom.Win32.MAZE.AC
TROJ_GEN.R002C0DDE20
Behavioral Monitoring (AEGIS)	2015Q_CQ, RAN2455T TMTD policies
Access Document Control (ADC) Supported
Sandbox Solution	VAN_RANSOMARE.UMXX
Deep Discovery Inspector Rule	Rule 1043 RANSOM HTTP REQUEST
TippingPoint	37302: HTTP: Ransomware.Win32.Maze.A
Deep Security	1007596 - Identified Suspicious File Extension Rename Activity Over Network Share
1007598 - Identified Suspicious Rename Activity Over Network Share

Maze Ransomware Attack on a US IT Firm

Product / Version includes:

Deep Security Smart CheckAll , TippingPoint Virtual SMSAll , Trend Micro Email SecurityAll , Apex One as a ServiceAll , Cloud App SecurityAll , Deep Discovery InspectorAll , Email Encryption HostedAll , Email Reputation ServicesAll , TippingPoint SMSAll , TXOne - EdgeIPSAll , Worry-Free Plug-In - Security For MACAll , Cloud One - Application SecurityAll , Deep Security As A ServiceAll , Endpoint Encryption6.0 , Safe LockAll , TXOne - EdgeFireAll , Worry-Free Remote ManagerAll , TippingPoint ThreatDVAll , Deep Discovery AnalyzerAll , Control ManagerAll , Apex One (Mac)All , Deep Discovery DirectorAll , Interscan Web Security Virtual ApplianceAll , ServerProtect for Microsoft Windows/Novell NetWareAll , Portable SecurityAll , Apex CentralAll , Cloud App Security For Office 365All , Cloud EdgeAll , Apex OneAll , Deep SecurityAll , Hosted Mobile SecurityAll , TippingPoint Virtual TPSAll , Trend Micro Web SecurityAll , Endpoint EncryptionAll , Worry-Free Business Security StandardAll , InterScan Messaging Security SuiteAll , Deep Discovery Email InspectorAll , Smart Protection ServerAll , Interscan Messaging Security Virtual ApplianceAll , Interscan Web Security SuiteAll , Scanmail for IBM DominoAll , Worry-Free Business Security ServicesAll , Cloud One - Endpoint and Workload SecurityAll , Licensing Management PlatformAll , Remote ManagerAll , ScanMail for ExchangeAll , TippingPoint Digital VaccineAll , Worry Free Services for DellAll , Instant Messaging SecurityAll , PortalprotectAll , Worry-Free Business Security AdvancedAll , Mobile Security For EnterpriseAll

Last updated: 2021/10/10

Solution ID: KA-0010423

Category: Remove a Malware / Virus

Summary

Maze Ransomware has impacted one of the biggest IT firms based in US.

Maze Ransomware: Distributed in late December 2019, the warning indicates that the Bureau first observed the ransomware being wielded against U.S. victims last November. Upon successfully breaching the network, threat actors exfiltrate company files before encrypting machines and network shares. The actors then demand a target-specific ransom in exchange for the decryption key.

Impacted Region:

US as of 4/19/2020 7:55PM GMT+8

Actions Taken

Malware Sourcing
Testing samples against Trend Micro Detections
Trend Micro Technical Support and Core Technology Team collaboration for sourcing, monitoring and intelligence gathering

Solutions Available

Solution Modules	Solution Available	Pattern Branch	Release Date	Detection/Policy/Rules
URL Protection	Yes	In the Cloud		Malware Accomplice, Disease Vector, Ransomware
Predictive Learning (TrendX)				TROJ.Win32.TRX.XXPE50FFF034
				Ransom.Win32.TRX.XXPE50FFF034
				BKDR.Win32.TRX.XXPE50FFF034
File detection (VSAPI/Smart Scan) and Advanced Threat Scan Engine (ATSE)		15.529.00	10/12/2019	Ransom.Win32.MAZE.H
				Ransom.Win32.MAZE.THKBIAI
				Ransom_Gen.R011C0PKA19
				Ransom_Maze.R002C0DC720
				Ransom_Instructions.R002C0PCK20
				Ransom.Win32.MAZE.THJBBAI
				Ransom.Win32.MAZE.SMDA
				TROJ_GEN.USMGAHAL
				Ransom.Win32.MAZE.G
				Ransom.Win32.MAZE.C
				Ransom_Mazedec.R002C0DDE20
				Trojan.Win32.SMOKELOAD.SMD2.hp
				Ransom.Win32.MAZE.AC
				TROJ_GEN.R002C0DDE20
Behavioral Monitoring (AEGIS)		2015Q_CQ, RAN2455T TMTD policies
Behavioral Monitoring (AEGIS)		Access Document Control (ADC) Supported
Sandbox Solution		VAN_RANSOMARE.UMXX
Deep Discovery Inspector Rule		Rule 1043 RANSOM HTTP REQUEST
TippingPoint		37302: HTTP: Ransomware.Win32.Maze.A
Deep Security		1007596 - Identified Suspicious File Extension Rename Activity Over Network Share
Deep Security		1007598 - Identified Suspicious Rename Activity Over Network Share

Refer to this file for the IOC list.

Recommendation

Make sure to always use the latest pattern available to detect the old and new variants of Maze ransomware.

Refer to the KB article: Recommendations on how to best protect your network using Trend Micro products.
You may also check the article: Submitting suspicious or undetected virus for file analysis to Technical Support.
For support assistance, contact Trend Micro Technical Support.

TrendMicro Virus Encyclopedia

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Maze Ransomware Attack on a US IT Firm

Actions Taken

Solutions Available

Recommendation

Related Blogs and Articles

TrendMicro Virus Encyclopedia

Maze Ransomware Attack on a US IT Firm

Product / Version includes:

Summary

Actions Taken

Solutions Available

Recommendation

Related Blogs and Articles

TrendMicro Virus Encyclopedia