Security analysts observed a relatively new threat actor called TA2101 targeting German, Italian and U.S. organizations with malicious emails carrying samples of Maze ransomware.

Proofpoint first observed TA2101’s threat activity in October 2019 when it detected hundreds of malicious emails impersonating the Bundeszentralamt fur Steuern, Germany’s Federal Ministry of Finance. The emails employed stolen branding for the German agency along with lookalike “.icu” domains to trick recipients into opening a Microsoft Word document for the purpose of receiving a tax refund. When opened, the Microsoft Word document executed a malicious macro that then used a PowerShell script to run Maze ransomware on the victim’s machine.

It wasn’t too long thereafter when TA2101 apparently widened the scope of its Maze ransomware campaign. In late October, for instance, researchers saw the threat actor impersonating the Agenzia Entrate, the Italian Ministry of Taxation, to distribute the malware using a similar infection chain. Less than a month later, the threat group masqueraded as the United States Postal Service to target American recipients with malicious Microsoft Word documents.

A Look Back at Maze’s Evolving History

The attack described above marks digital attackers’ latest interaction with Maze, a relatively new digital threat. Bleeping Computer reported that researchers first discovered the ransomware family back in May 2019. At that time, malicious actors were primarily using the Fallout exploit kit as a means of distributing Maze.

But its handlers soon expanded Maze’s channels of distribution. Within a few months, Bleeping Computer spotted another campaign in which the Spelevo exploit kit abused a use after free vulnerability in some Flash Player versions to infect people with ransomware.

Defending Against TA2101-Borne Malware

At this time, there is no publicly available tool that users and organizations can leverage to recover files affected by Maze. That places the onus on security professionals to help their organizations defend against a ransomware infection. They can do this by augmenting their existing data backup strategy with the addition of cloud-based encryption tools. These solutions should ideally use access controls, key management and other security controls to add layers of protection to data hosted in the cloud. Additionally, companies should champion the use of test phishing simulations to strengthen employees’ awareness of phishing attacks, a common delivery vector for ransomware.

More from

Security Awareness Training 101: Which Employees Need It?

4 min read - To understand why you need cybersecurity awareness training, you must first understand employees' outsized roles in security breaches. “People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of…

4 min read

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates. Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?…

3 min read

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read