4/18/2020 Ransom.

Maze | Symantec

Symantec-Broadcom-Horizontal | United States

Close

Symantec Security Response

http://www.symantec.com/security_response/index.jsp

Ransom.Maze
Risk Level 1: Very Low
Discovered:
November 25, 2019
Updated:
November 26, 2019 3:16:20 PM
Type:
Trojan
Infection Length:
Varies
Systems Affected:
Windows

SUMMARY
Ransom.Maze is a Trojan horse that encrypts files on the compromised computer and
demands a payment to decrypt them.

Antivirus Protection Dates

Initial Rapid Release version November 25, 2019
Latest Rapid Release version November 25, 2019
Initial Daily Certified version December 19, 2019 revision 021
Latest Daily Certified version December 19, 2019 revision 021
Initial Weekly Certified release date November 27, 2019

Click here for a more detailed description of Rapid Release and Daily Certified virus
definitions.

TECHNICAL DETAILS
The Trojan may arrive on the compromised computer via exploit kit or malicious email.

Once executed, the Trojan encrypts files on the compromised computer using RSA encryption
and the ChaCha20 stream cipher. The Trojan appends several extensions to each file that it
encrypts.

The Trojan does not encrypt the following files:

[PATH TO ENCRYPTED FILES].DECRYPT-FILES.txt

143.127.10.117/security_response/print_writeup.jsp?docid=2019-112612-2128-99 1/4
4/18/2020 Ransom.Maze | Symantec

autorun.inf
boot.ini
desktop.ini
ntuser.dat
iconcache.db
bootsect.bak
ntuser.dat.log
thumbs.db
Bootfont.bin

The Trojan does not encrypt files with the following extensions:

.lnk
.exe
.sys
.dll

The Trojan deletes Shadow Copy files on the compromised computer.

The Trojan may change the wallpaper on the compromised computer.

The Trojan drops the following ransom note in all folders where it has encrypted files:

[PATH TO ENCRYPTED FILES].DECRYPT-FILES.txt

The ransom note informs the user their files have been encrypted and provides instructions on
how they may pay to have the files decrypted.

Recommendations
Symantec Security Response encourages all users and administrators to adhere to the
following basic security "best practices":

Use a firewall to block all incoming connections from the Internet to services that should
not be publicly available. By default, you should deny all incoming connections and only
allow services you explicitly want to offer to the outside world.
Enforce a password policy. Complex passwords make it difficult to crack password files
on compromised computers. This helps to prevent or limit damage when a computer is
compromised.
Ensure that programs and users of the computer use the lowest level of privileges
necessary to complete a task. When prompted for a root or UAC password, ensure that
the program asking for administration-level access is a legitimate application.
Disable AutoPlay to prevent the automatic launching of executable files on network and
removable drives, and disconnect the drives when not required. If write access is not
required, enable read-only mode if the option is available.
Turn off file sharing if not needed. If file sharing is required, use ACLs and password
protection to limit access. Disable anonymous access to shared folders. Grant access
only to user accounts with strong passwords to folders that must be shared.
Turn off and remove unnecessary services. By default, many operating systems install
auxiliary services that are not critical. These services are avenues of attack. If they are
removed, threats have less avenues of attack.

143.127.10.117/security_response/print_writeup.jsp?docid=2019-112612-2128-99 2/4
4/18/2020 Ransom.Maze | Symantec

If a threat exploits one or more network services, disable, or block access to, those
services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public
services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS
services.
Configure your email server to block or remove email that contains file attachments that
are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate compromised computers quickly to prevent threats from spreading further.
Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not
execute software that is downloaded from the Internet unless it has been scanned for
viruses. Simply visiting a compromised Web site can cause infection if certain browser
vulnerabilities are not patched.
If Bluetooth is not required for mobile devices, it should be turned off. If you require its
use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by
other Bluetooth devices. If device pairing must be used, ensure that all devices are set
to "Unauthorized", requiring authorization for each connection request. Do not accept
applications that are unsigned or sent from unknown sources.
For further information on the terms used in this document, please refer to the Security
Response glossary.

REMOVAL
You may have arrived at this page either because you have been alerted by your Symantec
product about this risk, or you are concerned that your computer has been affected by this
risk.

Before proceeding further we recommend that you run a full system scan. If that does not
resolve the problem you can try one of the options available below.

FOR NORTON USERS

If you are a Norton product user, we recommend you try the following resources to remove
this risk.

Removal Tool
Use our tools to remove aggressive risks from your computer.

Infected Windows system files may need to be repaired using the Windows installation CD.

How to reduce the risk of infection

Check out our extensive collections of helpful advice and tips on how to stay safe online.

FOR BUSINESS USERS

If you are a Symantec business product user, we recommend you try the following resources
to remove this risk.

Identifying and submitting suspect files

143.127.10.117/security_response/print_writeup.jsp?docid=2019-112612-2128-99 3/4
4/18/2020 Ransom.Maze | Symantec

Submitting suspicious files to Symantec allows us to ensure that our protection capabilities
keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec
Security Response and, where necessary, updated definitions are immediately distributed
through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby
are protected from attack. The following resources may help in identifying suspicious files for
submission to Symantec.

Locate a sample of a threat

Submit a suspicious file to Symantec

Removal Tool

Download SymDiag to detect Symantec product issues

About the Threat Analysis Scan in SymDiag
About Symantec Power Eraser
What you should know before you run Power Eraser

If you have an infected Windows system file, you may need to replace it using the Windows
installation CD.

MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan

For information on how to run a full system scan using your Symantec product, follow the
guidance given in the product's Help section.

2. Restoring settings in the registry

Many risks make modifications to the registry, which could impact the functionality or
performance of the compromised computer. While many of these modifications can be
restored through various Windows components, it may be necessary to edit the registry. See
in the Technical Details of this writeup for information about which registry keys were created
or modified. Delete registry subkeys and entries created by the risk and return all modified
registry entries to their previous values.

143.127.10.117/security_response/print_writeup.jsp?docid=2019-112612-2128-99 4/4