OODA Loop

Understand tomorrow, today.

CISA Issues Alert on Preventing Maze Ransomware Attacks

Archive, OODA Original / by

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert to government and commercial organizations  around the Maze ransomware threat which has been impacting organizations since October 2019.  Included in the alert is a list of IP addresses, domain names, and file hashes that organizations can block in order to prevent successful attacks.

According to the CISA alert:

“From open-source reporting, TA2101 has been observed using Maze ransomware to encrypt and exfiltrate the files of U.S. and international governments and commercial organizations in an attempt to extort money from their targets. TA2101 has also been identified implementing spam campaigns and impersonating foreign and domestic government agencies and security vendors.


OODA Loop Sponsor

A threat actor, named “TA2101” by ProofPoint,1 has been using a variant of the ChaCha ransomware, known as Maze ransomware. Activity relating to this threat actor and type of ransomware has been identified as early as May 2019.2 There were no public reports on Maze ransomware activity until an Italian media source reported the activity and ProofPoint assigned the activity to a new actor, which ProofPoint named TA2101. If a victim does not pay the initial ransomware within a certain timeframe, the threat actor publishes a percentage of the victim’s data to a public website. Data published has sensitive personably identifiable information (PII) and sensitive proprietary information”

Included in the report are a series of IP addresses, domains, and file hashes that organizations can use to protect against this particular threat. Those indicators are included in the PDF document below.

What you can do:

  • Executives should make sure their organization is well equipped to rapidly deploy indicators from this type of threat intelligence to protect their organization.
  • Organizations should have a robust security hygiene program to reduce the potential for a successful ransomware attack and prevent lateral movement from infected workstations.
  • Employees should participate in security awareness and training programs to help them identify and report phishing attacks.

For more information, please see the CISA Report.

CISA Maze Ransomware Alert (PDF Document)

About OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.