Updated on 30/04/2020
Spack 1698 contains the necessary IPS signatures, from the current samples acquired, to block the command/control channel of this malware through the application of "versa recommended profile". We would still recommend that the below listed ip-addresses are blocked through ip-filter for additional protection.
Updated on 22/Apr/2020
Based on the investigation of the previous attacks, of maze ransomware, we've come up with the following list of ip-addresses and domains which need to blocked through the use of ip-filter and url-filter in nextgen firewall security policy.
The ip-addresses that need to be blocked are as below. Create a black-list for these ip-addresses in the ip-filter.
91.218.114.4
91.218.114.11
91.218.114.25
91.218.114.26
91.218.114.31
91.218.114.32
91.218.114.37
91.218.114.38
91.218.114.77
91.218.114.79
91.218.114.30
The domains that need to be blocked are as below. Create a black-list for these domains in the url-filter (using url-pattern match).
mage01.mooo.com
mage02.mooo.com
lsb1.mooo.com
wholesalesconsignment.com
sicurezza.me
ns1.waser.ml
ns2.waser.ml
4allgod.com
busyway.su
automondeconsignment.com
ns1.showingemail.info
ns2.showingemail.info
nesinoder.com
apktool.info
to-apk.info
ns2.parens.ru
ns1.parens.ru
apk-get-update.info
true-apk.info
apk-tools.info
upd-ur-apk.info
apk-update.info
qwecklyapk.info
apks-rec.info
apkitsall.info
pure-apk.info
apkfinder.info
apkhila.info
aloha-edc.net
wwwcolnbase.com
1drivelive.com
hobbytel.com
secure-onedrive.com
paypallde.com
verify.paypallde.com
set-validator.com
exobot.cc
ns1.autozetconsignment.com
ns2.autozetconsignment.com
autozetconsignment.com
ns1.mentaemail.info
ns2.mentaemail.info
canadian-overnite.com
mobile.canadian-overnite.com
ns1.tallyemail.info
ns2.tallyemail.info
sandraboerner.de
jiridolezel.cz
anamartinez.es
mmreinigung.de
jeremyleon.fr
ns1.retenemail.info
ns2.retenemail.info
retenemail.info
ns2.adedemail.info
fermeri1.ru
lbi1.ru
ns1.adedemail.info
ns1.reddenemail.info
ns2.reddenemail.info
i1fermer.ru
bli1.ru
Apply a rule in the nextgen firewall security policy for the above mentioned ip-filter and url-filter.
Along with the above configuration, Anti-virus should be activated. Below is an update from our vulnerability research engineering regarding the presence of this threat detection in our AV using heuristic analysis interpret new variants - though, as with all malware threats, this will be an ongoing process of adding new signatures as new variants are encountered (recommended to use the lastest spack)
“we have several detection methods in place for this particular ransomware, both in exact signatures, such as:
W32/Ransom.HNTB-6020
and the more effective (proactive) heuristic detections, which have the ability to detect brand new, unseen variants,:
W32/Ransom.NC.gen!Eldorado
W32/Filecoder.L.gen!Eldorado”
Also, our engineering is currently in the process of inculcating IPS signatures (using samples of this malware file content/check-sums) to the "versa recommended profile" (vulnerability profile). This will likely be made available in spack 1697 - the timeline for the release is yet to be confirmed.
For now, please follow the recommendation of blocking the ip-address/domain list along with AV activation to protect against this malware.