The Maze Ransomware is not a new infection, but has gained momentum with new campaigns, partnered with the exploit kits, and put playful comments on its executables. According to security researcher JAMESWT, in Italy users were targeted for spam mails reported by the Italian Revenue Agency or the Entrate Agency which collects government taxes and profits. These emails contain the subject ‘ AGGIORNAMENTO: Attivita di contrasto all’evasione ‘ and include a wording document called ‘ VERDI.doc, ‘ which probably contains new instructions for businesses and people.
Spam Email The Italian text for the following e-mails is: This translates to English as: If a user opens the attached VERDI.doc, the file will be encrypted with RSA encryption and the user must “Enable data” to access it correctly.
Malicious Word Document If the user allows for the content then an embedded macro will be executed to download and execute the ransomware to the file C:\Windows\Temp\wupd12.14.tmp.
Malicious Macros When you open your computer, Maze encrypts the wallpaper and switches it to a picture containing information on your files and how to find the ransom note.
Desktop Wallpaper A ransom note is called DECRYPT-FILES.txt and provides instructions on link to the Maze web page, to pay the decryption key in different amounts depending on the type of device encrypted.
Maze Ransom Note The ransom amount for our test is $1,200 USD. Unfortunately, no way to decrypt files that have been encrypted by the Maze Ransomware at this point. You are suggested to try to restore encrypted files through backups.