Solution Modules	Solution Available	Pattern Branch	Release Date	Detection/Policy/Rules
URL Protection	Yes	In the Cloud	Malware Accomplice, Disease Vector, Ransomware
Predictive Learning (TrendX)	TROJ.Win32.TRX.XXPE50FFF034
Ransom.Win32.TRX.XXPE50FFF034
BKDR.Win32.TRX.XXPE50FFF034
File detection (VSAPI/Smart Scan) and Advanced Threat Scan Engine (ATSE)	15.529.00	10/12/2019	Ransom.Win32.MAZE.H
Ransom.Win32.MAZE.THKBIAI
Ransom_Gen.R011C0PKA19
Ransom_Maze.R002C0DC720
Ransom_Instructions.R002C0PCK20
Ransom.Win32.MAZE.THJBBAI
Ransom.Win32.MAZE.SMDA
TROJ_GEN.USMGAHAL
Ransom.Win32.MAZE.G
Ransom.Win32.MAZE.C
Ransom_Mazedec.R002C0DDE20
Trojan.Win32.SMOKELOAD.SMD2.hp
Ransom.Win32.MAZE.AC
TROJ_GEN.R002C0DDE20
Behavioral Monitoring (AEGIS)	2015Q_CQ, RAN2455T TMTD policies
Access Document Control (ADC) Supported
Sandbox Solution	VAN_RANSOMARE.UMXX
Deep Discovery Inspector Rule	Rule 1043 RANSOM HTTP REQUEST
TippingPoint	37302: HTTP: Ransomware.Win32.Maze.A
Deep Security	1007596 - Identified Suspicious File Extension Rename Activity Over Network Share
1007598 - Identified Suspicious Rename Activity Over Network Share

Maze Ransomware Attack on a US IT Firm

Product / Version includes:

Deep Security Smart Check All , TippingPoint Virtual SMS All , Trend Micro Email Security All , Apex One as a Service All , Cloud App Security All , Deep Discovery Inspector All , Email Encryption Hosted All , Email Reputation Services All , TippingPoint SMS All , TXOne - EdgeIPS All , Worry-Free Plug-In - Security For MAC All , Cloud One - Application Security All , Deep Security As A Service All , Endpoint Encryption 6.0 , Safe Lock All , TXOne - EdgeFire All , Worry-Free Remote Manager All , TippingPoint ThreatDV All , Deep Discovery Analyzer All , Control Manager All , Apex One (Mac) All , Deep Discovery Director All , Interscan Web Security Virtual Appliance All , ServerProtect for Microsoft Windows/Novell NetWare All , Portable Security All , Apex Central All , Cloud App Security For Office 365 All , Cloud Edge All , Apex One All , Deep Security All , Hosted Mobile Security All , TippingPoint Virtual TPS All , Trend Micro Web Security All , Endpoint Encryption All , Worry-Free Business Security Standard All , InterScan Messaging Security Suite All , Deep Discovery Email Inspector All , Smart Protection Server All , Interscan Messaging Security Virtual Appliance All , Interscan Web Security Suite All , ScanMail for Domino All , Worry-Free Business Security Services All , Cloud One - Endpoint and Workload Security All , Licensing Management Platform All , Remote Manager All , ScanMail for Exchange All , TippingPoint Digital Vaccine All , Worry Free Services for Dell All , Instant Messaging Security All , Portalprotect All , Worry-Free Business Security Advanced All , Mobile Security For Enterprise All

Last updated: 2025/05/08

Solution ID: KA-0010423

Category: Remove a Malware / Virus

Summary

Maze Ransomware has impacted one of the biggest IT firms based in US.

Maze Ransomware: Distributed in late December 2019, the warning indicates that the Bureau first observed the ransomware being wielded against U.S. victims last November. Upon successfully breaching the network, threat actors exfiltrate company files before encrypting machines and network shares. The actors then demand a target-specific ransom in exchange for the decryption key.

Impacted Region:

US as of 4/19/2020 7:55PM GMT+8

Actions Taken

Malware Sourcing
Testing samples against Trend Micro Detections
Trend Micro Technical Support and Core Technology Team collaboration for sourcing, monitoring and intelligence gathering

Solutions Available

Solution Modules	Solution Available	Pattern Branch	Release Date	Detection/Policy/Rules
URL Protection	Yes	In the Cloud		Malware Accomplice, Disease Vector, Ransomware
Predictive Learning (TrendX)				TROJ.Win32.TRX.XXPE50FFF034
				Ransom.Win32.TRX.XXPE50FFF034
				BKDR.Win32.TRX.XXPE50FFF034
File detection (VSAPI/Smart Scan) and Advanced Threat Scan Engine (ATSE)		15.529.00	10/12/2019	Ransom.Win32.MAZE.H
				Ransom.Win32.MAZE.THKBIAI
				Ransom_Gen.R011C0PKA19
				Ransom_Maze.R002C0DC720
				Ransom_Instructions.R002C0PCK20
				Ransom.Win32.MAZE.THJBBAI
				Ransom.Win32.MAZE.SMDA
				TROJ_GEN.USMGAHAL
				Ransom.Win32.MAZE.G
				Ransom.Win32.MAZE.C
				Ransom_Mazedec.R002C0DDE20
				Trojan.Win32.SMOKELOAD.SMD2.hp
				Ransom.Win32.MAZE.AC
				TROJ_GEN.R002C0DDE20
Behavioral Monitoring (AEGIS)		2015Q_CQ, RAN2455T TMTD policies
Behavioral Monitoring (AEGIS)		Access Document Control (ADC) Supported
Sandbox Solution		VAN_RANSOMARE.UMXX
Deep Discovery Inspector Rule		Rule 1043 RANSOM HTTP REQUEST
TippingPoint		37302: HTTP: Ransomware.Win32.Maze.A
Deep Security		1007596 - Identified Suspicious File Extension Rename Activity Over Network Share
Deep Security		1007598 - Identified Suspicious Rename Activity Over Network Share

Refer to this file for the IOC list.

Recommendation

Make sure to always use the latest pattern available to detect the old and new variants of Maze ransomware.

Refer to the KB article: Recommendations on how to best protect your network using Trend Micro products.
You may also check the article: Submitting suspicious or undetected virus for file analysis to Technical Support.
For support assistance, contact Trend Micro Technical Support.

TrendMicro Virus Encyclopedia

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Maze Ransomware Attack on a US IT Firm

Actions Taken

Solutions Available

Recommendation

Related Blogs and Articles

TrendMicro Virus Encyclopedia

Maze Ransomware Attack on a US IT Firm

Product / Version includes:

Summary

Actions Taken

Solutions Available

Recommendation

Related Blogs and Articles

TrendMicro Virus Encyclopedia