Product
Product overview

See how dev-centric DAST for the enterprise secures your business.

Web attacks

Continuous security testing for web applications at high-scale.

API attacks

Safeguard your APIs no matter how often you deploy.

Business logic attacks

Future-proof your security testing with green-flow exploitation testing.

LLM attacks

Next-gen security testing for LLM & Gen AI powered applications and add-ons.

Interfaces & extensions

Security testing throughout the SDLC - in your team’s native stack.

Integrations

Connecting your security stack & resolution processes seamlessly.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Book a demo

We’ll show you how Bright’s DAST can secure your security posture.

Resources
Blog

Check out or insights & deep dives into the world of security testing.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Case studies

Dive into DAST success stories from Bright customers.

Research

Download whitepapers & research on hot topics in the security field.

Company
About us

Who we are, where we came from, and our Bright vision for the future.

News

Bright news hot off the press.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

We're hiring

Want to join the Bright team? See our open possitions.

Bug bounty

Found a security issue or vulnerability we should hear about? Let us know!

Contact us

Need some help getting started? Looking to collaborate? Talk to us.

Resources > Blog >
Exploring Maze and Lockbit Ransomware Gangs

Exploring Maze and Lockbit Ransomware Gangs

Levan Abesadze

Part 2 of 2

In the previous segment of our blog series, we looked at the operations of Ryuk/ Conti, also known as “Wizard Spider,”  shedding light on their tactics and impact. In this section, we turn our attention to Maze and Lockbit, two formidable players in the cyber threat landscape, exploring their collaborative dynamics, unique characteristics, and the evolving strategies that define their ransomware campaigns. 

Maze: Collaborations and Shifting Dynamics 

Maze, known for its utilization of RDP brute force, strategically avoids old Soviet countries and swiftly exits systems using the Russian language. This group poses a significant threat to the UK, particularly targeting hospitals during the COVID-19 pandemic. Of course, this sounds similar to a previous gang we discussed, known as Conti. 

While Conti is a formidable force, Maze surpasses them in strength and collaboration. Distinguishing itself from Conti, Maze employs ransomware with the ChaCha algorithm and offers ransomware as a service – a novel development in the cybercrime era. The ChaCha algorithm operates on the principles of symmetric key cryptography, where the same key is used for both encryption and decryption. Ransomware as a Service (RaaS) is a cybercriminal business model in which individuals or groups develop and distribute ransomware, making it available for others to use in exchange for a share of the ransom payment. This collaboration amplifies the impact of ransomware attacks, presenting a multifaceted challenge for cybersecurity professionals. The emergence of ransomware as a service further commodifies cyber threats, enabling even less sophisticated actors to participate in malicious activities.  

Unique Characteristics

Maze introduces a distinctive practice where, if the target refuses to pay the ransom, they publicly release unencrypted data. This approach has been adopted by other ransomware gangs, including Lockbit. Intriguingly, Maze declared collaboration with other groups after shutting down, viewing them as friends rather than competitors. The use of QakBot, shared malware with Egregor, raises speculations about potential connections between the two malwares. QakBot, also known as Qbot, is a sophisticated banking trojan and malware strain that primarily targets Windows-based systems. Egregor is a notorious ransomware strain that emerged in September 2020. It gained prominence for its advanced tactics, techniques, and procedures (TTPs), as well as its aggressive and highly effective approach to extortion. Shared malware suggests a level of collaboration of knowledge exchange between the groups, leading cybersecurity experts to investigate whether there is a more significant relationship or affiliation. The ever-evolving nature of these ransomware groups is evident as Egregor takes over Maze’s operations following its shutdown, emphasizing the need for continuous vigilance. 

Hospital Targeting and Impact

While Maze purportedly refrained from targeting hospitals in 2020 due to the impact of Covid-19, incidents, like the attack on a German hospital resulting in a tragic death, expose the grim reality. Despite claims by various ransomware groups that they do not target healthcare facilities, subsequent attacks on these institutions persist, underscoring the severity of the issue. The intersection of cyber threats and healthcare vulnerabilities become even more apparent, as these attacks not only jeopardize sensitive patient data but also directly impact medical services and, tragically, even patient outcomes. 

Lockbit: Connections and Apologies 

Lockbit follows a trajectory similar to Conti, utilizing its own ransomware encryptor. Recent reports suggest Lockbits adoption of the Lockbit green ransomware encryption method, based on Conti Green Ransomware. Here, the ransomware encrypts the victim’s data and appends a random extension to the filenames of all encrypted files. The encryption process is automatic and targets devices across Windows domains. Connections between Lockbit and Conti emerge as both groups attempt to recruit developers facing challenges. The dynamics of Lockbit’s attacks have shifted, evident in their actions towards German hospitals where apologies are replaced with unapologetic targeting. 

While focusing on this article, Lockbit once again launched an attack in the final days of January. Their target this time was Saint Anthony Hospital, a facility dedicated to providing care for children. The ransom demanded by the attackers amounted to $900,000. Shockingly, Lockbit did not provide a decryption key nor express any remorse for their malicious actions. They imposed a two-day negotiation period on the hospital, warning that failure to comply would result in the public release of all the data they had acquired from the institution.

Hospital Attacks and Lessons Learned

The Lockbit attack on SickKids Hospital in Canada was marked by an unusual event in the world of ransomware attacks – Lockbit issued an apology and provided a decryptor. This departure from the typical adversarial behavior of ransomware groups hinted at a potential sense of remorse or a strategic decision to present a more benevolent image. Offering a decryptor alongside an apology was uncommon in an ecosystem where threat actors are often known for their ruthless tactics and indifference to the consequences faced by their victims. 

However, this apparent display of empathy in the SickKids Hospital incident sharply contrasts with Lockbit’s subsequent actions in Germany, signaling a significant shift in their approach. In the German attacks, Lockbit abandoned the apologetic stance seen in Canada and embraced a more aggressive and unapologetic strategy. This change in behavior could be attributed to various factors, including shifts in the group’s leadership, modifications to their ransomware-as-a-service model, or a strategic decision to project a different image in response to evolving cybersecurity landscapes and law enforcement activities.

The intersection of cybersecurity and healthcare becomes apparent as hospitals become lucrative targets for ransomware attacks. The evolving landscape prompts reflections on past attacks by various ransomware groups and the indifference displayed even in the fact of condemnation. It underscores the critical need for heightened cybersecurity measures within the healthcare sector and beyond. 

How Bright can Help

Minimizing cybersecurity risks is paramount for businesses in today’s threat landscape. Thankfully, Bright’s Dev-centric DAST proves invaluable in this endeavor by effectively identifying vulnerabilities and offering robust mitigation processes. Its advanced capabilities include the detection of critical CVEs using sophisticated payloads and the reduction of false positives through AI. 

The constant emergence of new CVEs poses an ongoing threat to digital infrastructures, with hackers actively exploiting unpatched or outdated systems. A notable example is the CI0P group, utilizing CVE-2023-34362, a SQL injection vulnerability to deploy ransomware. Another avenue for attackers involves leveraging XSS to spread ransomware and tarnish an organization’s reputation. In the vast landscape filled with numerous vulnerabilities, Bright plays a crucial role during threat mapping activities. 

Upon identifying vulnerabilities related to web infrastructure, the SOC team can seamlessly implement prevention measures. This proactive cycle begins with discovery, followed by manual scanning and investigation processes, significantly reducing the time required for solution. While some CVEs or vulnerabilities may take days to address, Bright’s tool proves instrumental in minimizing this timeframe, ensuring thorough detection without potential false positives, thus optimizing the efficient use of time and resources. 

Conclusion

As we unravel the operations of Maze and Lockbit, the intricate dance between ransomware groups and cybersecurity professionals continues. Understanding their tactics, collaborations, and impact is pivotal in fortifying defenses against the evolving threats. As the landscape continues to evolve, proactive measures informed by a deep understanding of the adversaries become crucial for a robust security posture in 2024. 

Resources

DORA: Exploring The Path to Financial Institutions’ Resilience

DORA (Digital Operational Resilience Act) is the latest addition to the EU regulatory arsenal. A framework designed to bolster the cyber resilience of financial entities operating within the EU. But let’s face it: there’s no lack of regulations issued by the European Union legislature, and they’re not exactly known for keeping things light and easy.

IASTless IAST – The SAST to DAST Bridge

Streamline appsec with IASTless IAST. Simplify deployment, enhance accuracy, and boost your security posture by combining SAST and Bright’s DAST.

Bringing DAST security to AI-generated code

AI-generated code is basically the holy grail of developer tools of this decade. Think back to just over two years ago; every third article discussed how there weren’t enough engineers to answer demand; some companies even offered coding training for candidates wanting to make a career change. The demand for software and hardware innovation was

Get our newsletter