Security analysts observed a relatively new threat actor called TA2101 targeting German, Italian and U.S. organizations with malicious emails carrying samples of Maze ransomware.

Proofpoint first observed TA2101’s threat activity in October 2019 when it detected hundreds of malicious emails impersonating the Bundeszentralamt fur Steuern, Germany’s Federal Ministry of Finance. The emails employed stolen branding for the German agency along with lookalike “.icu” domains to trick recipients into opening a Microsoft Word document for the purpose of receiving a tax refund. When opened, the Microsoft Word document executed a malicious macro that then used a PowerShell script to run Maze ransomware on the victim’s machine.

It wasn’t too long thereafter when TA2101 apparently widened the scope of its Maze ransomware campaign. In late October, for instance, researchers saw the threat actor impersonating the Agenzia Entrate, the Italian Ministry of Taxation, to distribute the malware using a similar infection chain. Less than a month later, the threat group masqueraded as the United States Postal Service to target American recipients with malicious Microsoft Word documents.

A Look Back at Maze’s Evolving History

The attack described above marks digital attackers’ latest interaction with Maze, a relatively new digital threat. Bleeping Computer reported that researchers first discovered the ransomware family back in May 2019. At that time, malicious actors were primarily using the Fallout exploit kit as a means of distributing Maze.

But its handlers soon expanded Maze’s channels of distribution. Within a few months, Bleeping Computer spotted another campaign in which the Spelevo exploit kit abused a use after free vulnerability in some Flash Player versions to infect people with ransomware.

Defending Against TA2101-Borne Malware

At this time, there is no publicly available tool that users and organizations can leverage to recover files affected by Maze. That places the onus on security professionals to help their organizations defend against a ransomware infection. They can do this by augmenting their existing data backup strategy with the addition of cloud-based encryption tools. These solutions should ideally use access controls, key management and other security controls to add layers of protection to data hosted in the cloud. Additionally, companies should champion the use of test phishing simulations to strengthen employees’ awareness of phishing attacks, a common delivery vector for ransomware.

More from

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

How Do Threat Hunters Keep Organizations Safe?

Neil Wyler started his job amid an ongoing cyberattack. As a threat hunter, he helped his client discover that millions of records had been stolen over four months. Even though his client used sophisticated tools, its threat-hunting technology did not detect the attack because the transactions looked normal. But with Wyler’s expertise, he was able to realize that data was leaving the environment as well as entering the system. His efforts saved the company from suffering even more damage and…

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…