Beitrag von Florin Gruber, Juni 2025

The Ransomware Maze – An Overview

Did you know that there are ransomware trojans with a code of conduct? For example: The DarkSide ransomware doesn't attack hospitals, schools, or government agencies.

However, all other victims face ransom demands between 200,000 and 2,000,000 Swiss Francs. Payable in cryptocurrency (mostly Bitcoin or Monero). If payment is not made, they threaten to destroy or publish the data. Never before have so many detections been reported as in 2020, with the number steadily increasing from quarter to quarter.

Statistics for 2020

  • 31% of companies worldwide are attacked by cybercriminals at least once a day
  • The Maze ransomware (more on this later) accounted for almost 50% of all known ransomware cases
  • Malware is increasingly being automatically generated and modified, resulting in up to 100,000 new variants appearing per day (this is why heuristic, behavior-based detection is so important)

The Ransomware "Maze"

Maze has been active since late 2019 and is among the 10 most dangerous active ransomware. Here we present its basic functionality:

  • Maze not only encrypts data but also steals it to threaten publication
  • Uses sophisticated techniques to prevent disassembly and debugging
  • Deletes Windows shadow copies (like most others)
  • Sends an HTTP request to its C&C server (Command and Control Server with IP: 91.218.114.0)
  • Uses known tools like Mimikatz, ProcDump, and Cobalt Strike for propagation
  • The attack is usually targeted and often begins with spear phishing via email

The execution of this ransomware is automatically prevented by our solution Cyber Protect.

 

The Solution: Cyber Protect detects malware and ransomware using artificial intelligence and cloud-based behavior pattern matching

Every malware has its individual behavior pattern. That's why we rely on Acronis and the renowned BitDefender engine (Behavioral Detection Engine) with our Cyber Protect solution to recognize these patterns immediately. Simultaneously, the patterns are matched with those in the cloud. This ensures that even unknown malware is detected immediately.

The 10 most dangerous malware and ransomware variants (Currently these are Maze, REvil, SNAKE, Nemty, NetWalker, Ragnar Locker, MegaCortex, CLOP, DoppelPaymer, Thanos) are automatically detected and stopped by Cyber Protect. Any already compromised files are automatically restored from backup.

Built-in self-protection functions prevent the Cyber Protection Agent from being terminated or the backup rhythm from being interfered with. A selection of behaviors that Cyber Protect recognizes and stops:

  • A process accessing certain (system) files
  • A process having a suspicious code pattern
  • A process accessing a large number of files and processing them according to a suspicious pattern (e.g., encryption)
  • A process attempting to deliberately disable protection functions or exploit known but unpatched vulnerabilities in the operating system or third-party software

In each of the above cases, you will be immediately informed about the finding, including reporting on what led to the detection and what the process did. Additionally, a black and white list can be set up where processes or folders can be excluded from scanning.

If you would like to learn more about Cyber Protect or test the solution, we look forward to hearing from you.