November 18, 2019 By David Bisson 2 min read

Security analysts observed a relatively new threat actor called TA2101 targeting German, Italian and U.S. organizations with malicious emails carrying samples of Maze ransomware.

Proofpoint first observed TA2101’s threat activity in October 2019 when it detected hundreds of malicious emails impersonating the Bundeszentralamt fur Steuern, Germany’s Federal Ministry of Finance. The emails employed stolen branding for the German agency along with lookalike “.icu” domains to trick recipients into opening a Microsoft Word document for the purpose of receiving a tax refund. When opened, the Microsoft Word document executed a malicious macro that then used a PowerShell script to run Maze ransomware on the victim’s machine.

It wasn’t too long thereafter when TA2101 apparently widened the scope of its Maze ransomware campaign. In late October, for instance, researchers saw the threat actor impersonating the Agenzia Entrate, the Italian Ministry of Taxation, to distribute the malware using a similar infection chain. Less than a month later, the threat group masqueraded as the United States Postal Service to target American recipients with malicious Microsoft Word documents.

A Look Back at Maze’s Evolving History

The attack described above marks digital attackers’ latest interaction with Maze, a relatively new digital threat. Bleeping Computer reported that researchers first discovered the ransomware family back in May 2019. At that time, malicious actors were primarily using the Fallout exploit kit as a means of distributing Maze.

But its handlers soon expanded Maze’s channels of distribution. Within a few months, Bleeping Computer spotted another campaign in which the Spelevo exploit kit abused a use after free vulnerability in some Flash Player versions to infect people with ransomware.

Defending Against TA2101-Borne Malware

At this time, there is no publicly available tool that users and organizations can leverage to recover files affected by Maze. That places the onus on security professionals to help their organizations defend against a ransomware infection. They can do this by augmenting their existing data backup strategy with the addition of cloud-based encryption tools. These solutions should ideally use access controls, key management and other security controls to add layers of protection to data hosted in the cloud. Additionally, companies should champion the use of test phishing simulations to strengthen employees’ awareness of phishing attacks, a common delivery vector for ransomware.

More from

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today