Rewterz threat Alert – Bank of Costa Rica Hacked by Maze Ransomware Group

Severity

High

Analysis Summary

Maze aka ChaCha an infamous ransomware group in its recent statement released on its victim shaming website claims to have hacked into the Bank of Cost Rica in August 2019 but didn’t pursue the further attack citing reason that possible damage would be too high and in February 2020 during their routine check of previously accessed system they found out the bank security wasn’t improved they still had access to the bank network, Maze claims to have obtained years of transnational data including credit cards data of 11million with 4million unique credit cards in which 140,000 belongs to US citizens.

As proof of this theft, Maze posted what they say are 240 credit card numbers, with the last four digits removed, along with expiration dates and credit card verification codes (CVC).

Bank of Cost Rica is a state-owned commercial bank that operates in Costa Rica. With an equity of $806,606,710 and assets of $7,607,483,881, Founded in April 20, 1877 the bank of Cost Rica has established itself as one of the strongest banking companies in both Costa Rica and Central America.

The Maze ransomware, previously known in the community as “ChaCha ransomware” uses 2048 bit Rivest-Shamir-Adleman(RSA) and the ChaCha20 stream cipher to encrypt individual files. It appends different extensions to the files during theencryption process. It then changes the user’s desktopwallpaper to a message about the encrypted files and the file name ofthe dropped ransom note. A notable feature of Maze ransomware is that it sets the ransomware amount based on the type ofdevice it detects.This is uncommon among other types of ransomware. Maze operators have used the following labels to indicate the user’s computer type in the wallpaper message:

• standalone server • server in corporate network • workstation in corporate network • home computer • primary domaincontroller • backup server • very valuable for you

Maze Ransomware is distributed using several different ways. It has utilized the Spelevo and Fallout exploit kits and one of the vulnerabilities that Maze is targeting is the CVE-2018-15982 vulnerability in Flash Player. It is also worth noting that in the case of the Fallout kit, the users were redirected to the exploit from a fake cryptocurrency trading platform.Another observed attack vector is via email spam campaigns containing a Microsoft Office document with a malicious macro. For technical analysis of Maze ransomware please check Advisory # 7186.

Impact

• Data Loss
• Information Theft
• Reputation Loss

Indicators of Compromise

SHA-256

• 4218214f32f946a02b7a7bebe3059af3dd87bcd130c0469aeb21b58299e2ef9a
• 5470f0644589685000154cb7d3f60280acb16e39ca961cce2c016078b303bc1b
• c84b2c7ec20dd835ece13d5ae42b30e02a9e67cc13c831ae81d85b49518387b9
• 9845f553ae868cd3f8d8c3f8684d18f226de005ee6b52ad88b353228b788cf73
• 6d4836c75092d75f1d3a1d90100f19247473f9b0d7e12602221a7badf7feb29d
• e49225cc26ec911a213eb942d7797e8eec6de3f793abc8bb30f4b89f14e72d96
• b27bfa476a6915e573583c63b1d898913472ed86f224d5c470051359ceff8828
• f97bda917e52379ae9fe06605e4f120f9c88aebea38d3b4aeb3c21d476ea4d39
• 92125cc9aec53e2e7d0a67e8a53f0d6cb4a33f9ca73243d66b0397d7ddec907e
• 3fd37d42d5821a8cbcf930255ca1259a680937e4e7dfa2d535d56121187806c2
• eed70e8b4425aea2c6cd37c06c8789acbc049269d6f56d8968787383e82d23dc
• 0606c6d918e0c02cea5fd85bfeb862c8ffe3eee4ef059cd8d2cd3ff342fdf9d9
• 94673f34efc32e73523f8435acf0afce782ba4f68e9f71f80afbeb3b917162f3
• 67f338c9f15b000aedac1d736fbce1ab27fd72a10d397315ba724b1dccf4e834
• 4e1f7d397a07477bc3da1e1185a5960475817e9d04529b5bcc2068830262fa1b
• d215134b504790b3a3850e4e28a056a5eb2afdd057828626838507792476a74d
• abb36315ed6f708ba60c8cf70fdc0e327f7fbcfdfe33a403827e47a0155d1e4f
• fe0a5682abc92037d79318d3f5bc6a920df2ceafaa5f1869406ee842c422f0e9

Remediation

Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cyber crime operations. Large organizations are high value targets and attackers can demand bigger ransoms.

It is recommended to :

• Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
• Apply the latest updates to your operating systems and apps.
• Educate your employees so they can identify social engineering and spear-phishing attacks.
• Controlled folder access. It can stop ransomware from encrypting files and holding the files for ransom.
• Block all threat indicators at their respective controls.