{
	"id": "ff141923-77a0-44e0-8dc4-f0dab87f517c",
	"created_at": "2026-04-06T00:06:29.837368Z",
	"updated_at": "2026-04-10T03:20:26.763713Z",
	"deleted_at": null,
	"sha1_hash": "e611915478ef9114554683f03b7b55f844f9aeed",
	"title": "Threat Brief: Maze Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64060,
	"plain_text": "Threat Brief: Maze Ransomware\r\nBy Brittany Barbehenn, Doel Santos\r\nPublished: 2020-05-08 · Archived: 2026-04-05 17:08:21 UTC\r\nSeveral adversarial techniques were observed in this activity.\r\nThe following measures are suggested within Palo Alto Networks products and services for Maze ransomware:\r\nTactic\r\nTechnique (Mitre\r\nATT\u0026CK ID)\r\nProduct/Service Course of Action\r\nInitial Access\r\nExternal Remote\r\nServices\r\n(T1133)\r\nNGFW Configure Interfaces and Zone segmentation\r\nThreat\r\nPrevention†\r\nDeploy Vulnerability Protection Profile  for all\r\nlow and high severity threats with block action\r\nCortex XDR Configure Host Firewall Profile\r\nInitial Access\r\nSpear-Phishing\r\nAttachment (T1193)\r\nNGFW Configure a File Blocking Profile \r\nThreat\r\nPrevention†\r\nEnable Anti-Virus profile with reset-both\r\naction\r\nWildFire Forward files for WildFire Analysis\r\nCortex XDR Configure Malware Security Profile \r\nInitial Access\r\nDrive-by\r\nCompromise\r\n(T1189)\r\nNGFW\r\nBlock all unknown and unauthorized\r\napplications\r\nThreat\r\nPrevention†\r\nDeploy Vulnerability Protection Profile for all\r\nlow and high severity threats with block action\r\nDNS Security† Enable DNS Security in Anti-Spyware profile\r\nURL Filtering† Control web access based on URL Category\r\nWildFire Forward Files for WildFire Analysis\r\nInitial Access\r\nTrusted Relationship\r\n(T1199)\r\nNGFW Configure Interfaces and Zones segmentation\r\nInitial Access\r\nPrivilege\r\nEscalation\r\nPersistence\r\nValid Accounts\r\n(T1078)\r\nNGFW Configure Multi-Factor Authentication\r\nThreat\r\nPrevention†\r\nEnable Credential Phishing protection\r\nhttps://unit42.paloaltonetworks.com/threat-brief-maze-ransomware-activities/\r\nPage 1 of 5\n\nDefense\r\nEvasion Cortex XSOAR\r\nDeploy Cortex XSOAR Playbook - Access\r\nInvestigation\r\nExecution\r\nDefense\r\nEvasion\r\nScripting\r\n(T1064)\r\nWildFire Forward Files for WildFire Analysis\r\nCortex XDR\r\nEnable Anti-Exploit and Anti-Malware\r\nProtection\r\nExecution Powershell (T1086) Cortex XDR\r\nEnable Anti-Exploit and Anti-Malware\r\nProtection\r\nExecution\r\nCommand-Line\r\nInterface (T1059)\r\nCortex XDR\r\nEnable Anti-Exploit and Anti-Malware\r\nProtection\r\nExecution\r\nService Execution\r\n(T1035)\r\nCortex XDR\r\nConfigure Behavioral Threat Protection under\r\nthe Malware Security Profile\r\nPersistence\r\nModify Existing\r\nService (T1031)\r\nCortex XDR\r\nConfigure Behavioral Threat Protection under\r\nthe Malware Security Profile\r\nPersistence\r\nRegistry Run Keys /\r\nStartup Folder\r\n(T1060)\r\nCortex XDR\r\nConfigure Behavioral Threat Protection under\r\nthe Malware Security Profile\r\nPersistence\r\nNew Service\r\n(T1050)\r\nCortex XDR\r\nConfigure Behavioral Threat Protection under\r\nthe Malware Security Profile\r\nPrivilege\r\nEscalation\r\nExploitation for\r\nPrivilege Escalation\r\n(T1068)\r\nCortex XDR\r\nEnable Anti-Exploit and Anti-Malware\r\nProtection\r\nDefense\r\nEvasion\r\nNTFS File\r\nAttributes (T1096)\r\nNGFW\r\nBlock all unknown and unauthorized\r\napplications\r\nWildFire Forward files for WildFire Analysis\r\nCortex XDR\r\nConfigure Behavioral Threat Protection under\r\nthe Malware Security Profile\r\nDefense\r\nEvasion\r\nObfuscated Files or\r\nInformation\r\n(T1027)\r\nWildFire Forward files for WildFire Analysis\r\nCortex XDR\r\nEnable Anti-Exploit and Anti-Malware\r\nProtection\r\nDefense\r\nEvasion\r\nDisabling Security\r\nTools (T1089)\r\nCortex XDR\r\nConfigure Behavioral Threat Protection under\r\nthe Malware Security Profile\r\nhttps://unit42.paloaltonetworks.com/threat-brief-maze-ransomware-activities/\r\nPage 2 of 5\n\nCredential\r\nAccess\r\nBrute Force\r\n(T1110)\r\nNGFW\r\nCreate a rule to modify the default action for\r\nall signatures in the brute force category to\r\nblock-ip address action\r\nCredential\r\nAccess\r\nCredential Dumping\r\n(T1003)\r\nCortex XDR\r\nCortex XDR monitors for behavioral events\r\nand files associated with credential access and\r\nexfiltration\r\nLateral\r\nMovement\r\nRemote Desktop\r\nProtocol (T1076)\r\nNGFW\r\nConfigure Multi Factor Authentication,Create\r\nUser Group for Limited Access to Allow List\r\nApplications,Configure Interfaces and Zones\r\nsegmentation\r\nCortex XDR Configure Host Firewall Profile\r\nCollection\r\nData from Local\r\nSystem (T1005)\r\nCortex XDR\r\nCortex XDR monitors for behavioral events\r\nand files associated with collection activities\r\nCommand\r\nand Control\r\nStandard\r\nApplication Layer\r\nProtocol\r\n(T1071)\r\nNGFW\r\nBlock all unknown and unauthorized\r\napplications\r\nDNS Security†\r\nDeploy Anti-Spyware profiles with block\r\naction\r\nCortex XDR\r\nCortex XDR monitors for behavioral events\r\nindicative of command and control activity\r\nCommand\r\nand Control \r\nRemote File Copy\r\n(T1105)\r\nNGFW\r\nBlock all unknown and unauthorized\r\napplications\r\nWildFire Forward files for WildFire Analysis\r\nCortex XDR\r\nCortex XDR monitors for behavioral events\r\nassociated with file creation, staging, and\r\nexfiltration\r\nCommand\r\nand Control\r\nStandard\r\nCryptographic\r\nProtocol (T1032)\r\nNGFW\r\nBlock all unknown and unauthorized\r\napplications, Enable SSL decryption\r\nDNS Security† Enable DNS Security in Anti-Spyware profile\r\nWildFire Forward SSL decrypted files to WildFire\r\nDiscovery\r\nFile and Directory\r\nDiscovery (T1083)\r\nCortex XDR\r\nCortex XDR monitors for behavioral events\r\nalong a causality chain to identify discovery\r\nbehaviors\r\nhttps://unit42.paloaltonetworks.com/threat-brief-maze-ransomware-activities/\r\nPage 3 of 5\n\nDiscovery\r\nNetwork Share\r\nDiscovery (T1135)\r\nCortex XDR\r\nCortex XDR monitors for behavioral events\r\nalong a causality chain to identify discovery\r\nbehaviors\r\nDiscovery\r\nProcess Discovery\r\n(T1057)\r\nCortex XDR\r\nCortex XDR monitors for behavioral events\r\nalong a causality chain to identify discovery\r\nbehaviors\r\nDiscovery\r\nSoftware Discovery\r\n(T1518)\r\nCortex XDR\r\nCortex XDR monitors for behavioral events\r\nalong a causality chain to identify discovery\r\nbehaviors\r\nDiscovery\r\nSystem Information\r\nDiscovery (T1082)\r\nCortex XDR\r\nCortex XDR monitors for behavioral events\r\nalong a causality chain to identify discovery\r\nbehaviors\r\nExfiltration\r\nData Encrypted\r\n(T1022)\r\nCortex XDR\r\nConfigure Behavioral Threat Protection under\r\nthe Malware Security Profile\r\nExfiltration\r\nExfiltration Over\r\nAlternative Protocol\r\n(T1048)\r\nNGFW\r\nBlock all unknown and unauthorized\r\napplications.\r\nprofile\r\nDNS Security† Enable DNS Security in Anti-Spyware \r\nExfiltration\r\nExfiltration Over\r\nCommand and\r\nControl (T1041)\r\nNGFW \r\nBlock all unknown and unauthorized\r\napplications\r\nDNS Security†\r\nEnable DNS Security in the Anti-Spyware\r\nprofile\r\nThreat\r\nPrevention†\r\nEnable Anti-Spyware Profile with Block\r\nAction\r\nImpact\r\nData Encrypted for\r\nImpact (T1486)\r\nCortex XSOAR\r\nDeploy Cortex XSOAR Playbook -\r\nRansomware Manual for incident response\r\nTable 1. Course of Action for Maze Ransomware\r\n† These capabilities are part of the NGFW security subscriptions service\r\nRecently, malicious operators behind the Maze ransomware activities compromised multiple IT service providers.\r\nThese operators were also able to establish a foothold within another victim’s network through insecure Remote\r\nDesktop Protocol and other remote service connections or by brute-forcing the local administrator account.\r\nOrganizations should be mindful of potential compromises through third-party sources and ensure strong\r\npasswords are used for all systems capable of remote access.\r\nhttps://unit42.paloaltonetworks.com/threat-brief-maze-ransomware-activities/\r\nPage 4 of 5\n\nIt was also reported that Maze operators pay special attention to cloud backups on the compromised network. If\r\nthe operators were to obtain login credentials, they are then able to download all backup data to an actor controlled\r\nserver. Organizations should ensure that all cloud backup files are properly stored and protected.\r\nRansomware is a criminal business model that uses malicious software to hold valuable files and other data for\r\nransom. Victims of ransomware attacks may have their operations degraded or shut down entirely.\r\nPalo Alto Networks customers can review activity associated with this Threat Brief via AutoFocus using the\r\nfollowing tag: Maze, SpelevoEKFlashContainer\r\nPalo Alto Networks Cortex XDR contains an Anti-Ransomware Protection module. This module targets\r\nencryption-based activity associated with ransomware. Cortex XDR contains defined behavioral indicators of\r\ncompromise designed to detect anomalies within your network.\r\nThe suggested courses of action in this report are based on the information currently available to Palo Alto\r\nNetworks and the capabilities within Palo Alto Networks products and services.\r\nSource: https://unit42.paloaltonetworks.com/threat-brief-maze-ransomware-activities/\r\nhttps://unit42.paloaltonetworks.com/threat-brief-maze-ransomware-activities/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/threat-brief-maze-ransomware-activities/"
	],
	"report_names": [
		"threat-brief-maze-ransomware-activities"
	],
	"threat_actors": [],
	"ts_created_at": 1775433989,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e611915478ef9114554683f03b7b55f844f9aeed.pdf",
		"text": "https://archive.orkl.eu/e611915478ef9114554683f03b7b55f844f9aeed.txt",
		"img": "https://archive.orkl.eu/e611915478ef9114554683f03b7b55f844f9aeed.jpg"
	}
}