Anti-Malware Research Whitepapers

A Malware Researcher’s Guide to Reversing Maze Ransomware

At the end of May 2019, a new family of ransomware called Maze emerged into the gaping void left by the demise of the GandCrab ransomware.

Unlike run-of-the-mill commercial ransomware, Maze authors implemented a data theft mechanism to exfiltrate information from compromised systems. This information is used as leverage for payment and to transform an operational issue into a data breach.

In November 2019, the Bitdefender Active Threat Control team spotted spikes in reports of the ‘random’ process name being blocked from escalating privileges, by the Bitdefender Anti-Exploit module. We were curious about the executable, and how it tried to achieve System privileges.

Further investigation revealed that the process belongs to the Maze/ChaCha ransomware, so we took a deeper look.

We documented our findings in a whitepaper that attempts to shed some light on how Maze performs evasion, exploitation,obfuscation and finally, system encryption.

Sounds interesting? Download the whitepaper using the link below:

Download the Maze Ransomware Whitepaper

About the author

Mihai Neagu

Passionate about reverse engineering, Mihai worked on malware analysis and detection techniques in the past. Now he is doing research on exploit detection and mitigation for Windows applications.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as director of threat research. When he is not documenting sophisticated strains of malware or planning removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

Add Comment

Click here to post a comment