Maze ransomware spread through the help of the SpelevoEK exploit. The exploit exploits a vulnerability, CVE-2018-15982 present in the versions of Flash Player 184.108.40.206 and 220.127.116.11. If exploited successfully, the exploit proceeds to automatically download and install the payload of Maze ransomware. Once the payload is installed, the ransomware modifies the extension of the files on the system and encrypts them using RSA-2048 encryption. It authors threaten to publish stolen data in order to increase pressure on the victim to pay ransom. To do this, ransomware operators begin to steal data before encrypting files. The Maze ransomware is a variant of ChaCha Ransomware.
Recently Maze authors claim that they have compromised data of Chubb.com an insurance giant, and threaten to public make available its data. Though the compnay has yet to respond but independent cyber security researcher claims that Chubb.com Citrix ADC (Netscaler) servers that were vulnerable to the CVE-2019-19871 vulnerability which the attacker might have exploited to gain a foothold in companies server and execute the ransomware.
Maze Ransomware Signatures
Maze Ransomware Download