What is Maze Ransomware
Maze is a ransomware program discovered by one of the malware researchers named Jérôme Segura. This infection has been observed using RSA-2048 + ChaCha encryption algorithms and distributed in several different versions. Depending on the version that attacked the system, victims may see either .maze
or .ILnnD
extensions added to their files. For instance, an original file like 1.pdf
may end up 1.pdf.maze
or 1.pdf.ILnnD
after successful encryption. After this, the virus changes desktop wallpapers and creates either DECRYPT-FILES.html or DECRYPT-FILES.txt files, again depending on the version of ransomware. Make sure you read our article below to potentially decrypt your data for free.
****************************************************************************************
Attention! Your documents, photos, databases, and other important files have been encrypted!
*****************************************************************************************
What is going on?
Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system
You can read more about this cryptosystem here: hxxps://en.wikipedia.org/wiki/RSA_(cryptosystem)
The only way to recover (decrypt) your files is to buy decryptor with the unique private key
Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!
By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.
In order to either buy the private key or make test decryption contact us via email:
Main e-mail: koreadec@tutanota.com
Reserve e-mail: yourrealdecrypt@airmail.cc
Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies
If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one
Below you will see a big base64 blob, you will need to email us and copy this blob to us.
you can click on it, and it will be copied into the clipboard.
If you have troubles copying it, just send us the file you are currently reading, as an attachment.
Base64:
-
Attention!
---------------------------
| What happened?
---------------------------
All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps.
---------------------------
| How to get my files back?
---------------------------
The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers.
To contact us and purchase the key you have to visit our website in a hidden TOR network.
There are general 2 ways to reach us:
1) [Recommended] using hidden TOR network.
a) Download a special TOR browser: https://www.torproject.org/
b) Install the TOR Browser.
c) Open the TOR Browser.
d) Open our website in the Tor browser: http://aoacugmutagkwctu.onion/
e) Follow the instructions on this page.
2) If you have any problems connecting or using TOR network
a) Open our website: https://mazedecrypt.top/
b) Follow the instructions on this page.
Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use.
On this page, you will see instructions on how to make a free decryption test and how to pay.
Also it has a live chat with our operators and support team.
---------------------------
| What about guarantees?
---------------------------
We understand your stress and worry.
So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer!
If you have any problems our friendly support team is always here to assist you in a live chat!
THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU
--BEGIN MAZE KEY---
shjew3QCXORNMBXYSXKPmpf 3X8cWeEmzoM4ATCH+mv4 akosmKTANIWWEN17PwTNIMCYUSWSER DeCMVITITTAR YaRxR9DVTF TEENEXT OKRV94 RAVSTVUC TARTJ 3U9Cxfmi zonjew 3QCXORNMBXYSXKPmpt 3x8cWeEmz om4 A/CH+mv4ğkosmk TANIWWOW 1 Ehw+HpR725hjew3QCXORNMBXYSXKP mof 3x8cWeEmzom4 A7 CH+mv4 akomkTANIWw6wiikzrDAnuskk'
AYWR/HSOreovdz2xou IpDYTOL/QVwdcuk5URFEYESHXAEY1AuOwk81//X5rGvg2exof Broythz5hjew3QCXORNMBXYSXKPmpf 3x8cWEEmzom4A7 CH+Mv4gk08mkTANIWW6WILE F
--END MAZE KEY---
The information provided in these notes is almost identical and designed to instruct victims on decryption steps. It is said the only viable way victims can restore access to their data is to buy a unique decryption tool from the attackers. Depending on the Maze version, victims are therefore asked to establish communication with cybercriminals either via one of the given e-mail addresses, a link in TOR Browser, or the cybercriminals’ own website. While contacting, it is crucial to indicate the generated long string of characters that can be found at the bottom of the ransom note. After this, threat actors will provide further instructions on how to perform the monetary transfer. Besides this, victims are also told they can send 1 or 3 files (depending on the ransomware version) and get them decrypted for free. This way, extortionists prove their capability of regaining the blocked access and give victims more confidence in paying the ransom. Although the information looks user-friendly inside of the note, victims of Maze Ransomware (mostly companies) reported they were threatened with public leakage of data in case of refusal to pay the specified ransom. Unfortunately, such threats have been seen to come true as Maze developers indeed leaked the collected data to public resources. Note that trusting ransomware developers is always a risk that can lead to victims getting eventually scammed.
In 2020, Maze Ransomware started its collaborative distribution with affiliates, essentially allowing other threat actors to use the ransomware and share profits with the original developers. This disrupts the trust factor even more as it is uncertain whether the affiliated threat actors are diligent and trustworthy. As a rule, damage done by ransomware infections in terms of encryption is hard to reverse without the help of cybercriminals. Luckily, some versions of Maze Ransomware can be decrypted with the help of a free-to-use decryption tool released by Emsisoft. This became possible after the leak of private keys that slipped through the hands of cybercriminals in 2020. This tool works for Maze, Egregor, and Sekhmet ransomware programs. However, considering there has been 2 years since its release, it is impossible that newer versions cannot be decrypted by third-party tools at the moment. The ultimate solution for restoring data for free without the help of cybercriminals and in case there is no available third-party tool is to recover the files from backup storage (e.g., USB flash card, external hard drive, cloud, etc.) that was isolated at the time of encryption. Please note that prior to trying any manual recovery methods, be it a third-party tool or recovery from backup, it s important to get rid of the ransomware so that it does not continue its malicious activity. You can easily do it using our article below. Also, for more detailed information about the operation of Maze Ransomware, you can read this research summary done by McAfee.
How Maze Ransomware infected your computer
This ransomware infection has mainly been involved in the usage of various exploit kits (“Fallout” and “Spelevo”), impersonation of legitimate entities in e-mail letters, and other channels that involve phishing techniques. Exploit kits are usually tools designed to take control of the system and inject malicious infections like ransomware, for instance. The way users may end up dealing with exploitation kits is if they click on a malvertising link that leads to a webpage containing an exploit kit. After this, the exploit starts looking for various vulnerabilities within the system and use them for deploying commands to inject some malware. Many exploits target commonly-used software, such as Adobe Reader, the Java Runtime Environment, Adobe Flash, and others to run successful infiltration. The distribution of malicious links tends to occur via e-mail spam letters, which cybercriminals disguise as something “legitimate” and “important”. The message may be delivered by fake representatives of some popular agencies or companies encouraging users to open a link or attachment. Files with .DOCX, .XLSX, .PDF, .EXE, .ZIP, .RAR, .JS, and other extensions are often the ones cybercriminals misuse for dropping various infections. They can contain trojans or direct ransomware infections that will be installed upon their complete opening. The reason we say “complete” is because some files like MS Office documents require additional steps like disabling the “Protected View” mode for the infection to be installed. Note that these files have nothing to do with malware on the initial basis. Cybercriminals simply learned how to configure them to their needs and benefit from their technical properties to execute installations of malware. In order to be protected against such inftilration techniques in the future, it is important to avoid browsing dubious content, clicking on suspicious links/attachments, and downloading software from potentially unsafe resources (freeware download websites, free file hosting pages, Peer-to-Peer networks such as torrent clients, and so forth). Read our guide below to get practical advice and tools for protecting yourself against such threats in the the future.
- Download Maze Ransomware Removal Tool
- Get decryption tool for .maze files
- Recover encrypted files with Stellar Data Recovery Professional
- Restore encrypted files with Windows Previous Versions
- Restore files with Shadow Explorer
- How to protect from threats like Maze Ransomware
Download Removal Tool
To remove Maze Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders, and registry keys of Maze Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.
Alternative Removal Tool
To remove Maze Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of Maze Ransomware and prevents future infections by similar viruses.
Maze Ransomware files:
DECRYPT-FILES.html
{randomname}.exe
Maze Ransomware registry keys:
no information
How to decrypt and restore .maze files
Use automated decryptors
Download EmsiSoft Maze Ransomware Decryptor
Use following tool from EmsiSoft called Decryptor for MazeSehkmetEgregor, that can decrypt .maze files. Download it here:
There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
Dr.Web Rescue Pack
Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .maze files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.
If you are infected with Maze Ransomware and removed from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore .maze files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like Maze Ransomware , in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
As an additional way to save your files, we recommend online backup. Local storage, such as hard drives, SSDs, flash drives, or remote network storage can be instantly infected by the virus once plugged in or connected to. Maze Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.