November 18, 2019 By David Bisson 2 min read

Security analysts observed a relatively new threat actor called TA2101 targeting German, Italian and U.S. organizations with malicious emails carrying samples of Maze ransomware.

Proofpoint first observed TA2101’s threat activity in October 2019 when it detected hundreds of malicious emails impersonating the Bundeszentralamt fur Steuern, Germany’s Federal Ministry of Finance. The emails employed stolen branding for the German agency along with lookalike “.icu” domains to trick recipients into opening a Microsoft Word document for the purpose of receiving a tax refund. When opened, the Microsoft Word document executed a malicious macro that then used a PowerShell script to run Maze ransomware on the victim’s machine.

It wasn’t too long thereafter when TA2101 apparently widened the scope of its Maze ransomware campaign. In late October, for instance, researchers saw the threat actor impersonating the Agenzia Entrate, the Italian Ministry of Taxation, to distribute the malware using a similar infection chain. Less than a month later, the threat group masqueraded as the United States Postal Service to target American recipients with malicious Microsoft Word documents.

A Look Back at Maze’s Evolving History

The attack described above marks digital attackers’ latest interaction with Maze, a relatively new digital threat. Bleeping Computer reported that researchers first discovered the ransomware family back in May 2019. At that time, malicious actors were primarily using the Fallout exploit kit as a means of distributing Maze.

But its handlers soon expanded Maze’s channels of distribution. Within a few months, Bleeping Computer spotted another campaign in which the Spelevo exploit kit abused a use after free vulnerability in some Flash Player versions to infect people with ransomware.

Defending Against TA2101-Borne Malware

At this time, there is no publicly available tool that users and organizations can leverage to recover files affected by Maze. That places the onus on security professionals to help their organizations defend against a ransomware infection. They can do this by augmenting their existing data backup strategy with the addition of cloud-based encryption tools. These solutions should ideally use access controls, key management and other security controls to add layers of protection to data hosted in the cloud. Additionally, companies should champion the use of test phishing simulations to strengthen employees’ awareness of phishing attacks, a common delivery vector for ransomware.

More from

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

The future of cybersecurity: What to expect at Black Hat 2024

3 min read - The cybersecurity landscape continues to evolve at a breakneck pace. New threats emerge daily, and the stakes have never been higher, especially as artificial intelligence (AI) is infused into every aspect of business. As security and business leaders, it's crucial to stay ahead of the curve and ensure your organization is equipped to handle the ever-changing threat landscape. For over two decades, Black Hat has been the premier gathering of cybersecurity professionals, providing a platform for experts to share knowledge,…

Recent CrowdStrike outage: What you should know

3 min read - On Friday, July 19, 2024, nearly 8.5 million Microsoft devices were affected by a faulty system update, causing a major outage of businesses and services worldwide. This equates to nearly 1% of all Microsoft systems globally and has led to significant disruptions to airlines, police departments, banks, hospitals, emergency call centers and hundreds of thousands of other private and public businesses. What caused this outage in Microsoft systems? The global outage of specific Microsoft-enabled systems and servers was isolated to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today