WannaCry Spin-off Computes Ransom Based on Computer

An uprising ransomware variant proves that even hackers can be considerate. Jerome Segura, a cybersecurity researcher with Malwarebytes, declared that Maze Ransomware, a WannaCry spin-off is capable of determining the ransom amount based on the status of the infected computer.

Maze, also called ChaCha ransomware, has already infected thousands of computers from around the world. The attack seems to be originated from a cloned cryptocurrency website.

Why would my computer status matter that much?

Whenever a fresh copy of Window is installed on the machine, the system asks you to input the computer’s status: home PC, standalone server, work computer, workstation operation within a corporate network.

In most cases, it’s not a big deal; users mostly type in whatever crosses their mind in order to get through the installation process as fast as possible.

It would seem that the status of your system is of paramount importance, especially with Maze on the rampage. Segura, the security researcher, credited with the discovery of this type of malware, said that the malware’s algorithms are capable of determining the ransom amount based on the status of your PC.

For instance, if you wrote “home computer,” the ransom will be adjusted as to accommodate your budget. On the other hand, if it stumbles upon a corporate workstation, the ransom will be ginormous – talk about ethical hackers!

How can an algorithm compute the sum on its own?

As Segura explained, the viral payload is transmitted through a cloned variant of Abra, a cryptocurrency site from which users can buy webpage traffic from various ad networks. The ‘chosen’ user is redirected to another page.

Once there, the payload is automatically downloaded in the system, where it begins to encrypt key files using a master RSA key and ChaCha keys for single files.

The algorithm would randomly assign extensions to system files, making them unreadable. When that’s done, the malware will display a text message on the screen. In some cases, it would also fire up a new Chrome tab which directs the user to the message page.

As for the ominous message, it reads:

Maze Ransomware,

Dear admin, your files have been encrypted by RSA-2048 and ChaCha algorithms. The only way to restore them is to buy (a) decryptor.  Our algorithms are one the strongest. You can read about them at Wikipedia. If you understand (the) importance of (this) situation, you can restore all files by following (the) instructions in DECRYPT-Files.html file.

In some cases, as a gesture of goodwill, the text comes with a post-scriptum that reads:

you can decrypt 1 file free as a proof of work. We know that this computer is a home computer, so we will you (the) appropriate price for recovering (your files).

Segura noted that some Maze variants have a Base64 string at the end of the message which contains a private and encrypted description of key computer info such as OS version, computer’s name, the name of the user which was logged in at the moment when the payload was delivered. Apparently, the victim has to email this text bulk back along with the ransom money.


Is Maze dangerous? Yes, it is, since it seems to indiscriminately target users. The best piece of advice we can give you is to update your OS to the latest build, install anti-malware software, and avoid opening spam emails that contain long-tailed URLs.

About Daniel Sadler

Old-school PC gamer, poetry buff, cat lover, tech wiz. His writing career began almost two decades ago when he modestly acknowledged that hindsight or, lack thereof, can compromise security. He enjoys spending quality time with his friends and family. Most of his friends refer to Daniel as a "man of a few words, but, man, what words!" His interests include cybersecurity, IT, blogging, and, of course, everything related to technology.

Leave a Reply

Your email address will not be published. Required fields are marked *