Maze Ransomware Attacks in Latest Email Program Italy


The Maze Ransomware runs a new spam campaign, aiming Italian users as the tax and income agency in the country.

The Maze Ransomware is not a new infection, but has gained momentum with new campaigns, partnered with the exploit kits, and put playful comments on its executables.

According to security researcher JAMESWT, in Italy users were targeted for spam mails reported by the Italian Revenue Agency or the Entrate Agency which collects government taxes and profits.

These emails contain the subject ‘ AGGIORNAMENTO: Attivita di contrasto all’evasione ‘ and include a wording document called ‘ VERDI.doc, ‘ which probably contains new instructions for businesses and people.


Spam Email

The Italian text for the following e-mails is:


Si invitano tutte le persone fisiche e giuridiche a visionare e seguire con rigore Le Linee Guida fornite dall'Agenzia delle Entrate (in allegato).
E sufficiente seguire le indicazioni per evitare di essere segnalato dal sistema come un soggetto "a rischio" dopo il primo controllo basato sul c.d. "redditometro".
Il materiale da consultare (Le Linee Guida) viene consigliato specialmente ai soggetti che utilizzano i servici telematici finanziari (es. Internet Banking).

Nell'ambito dell'attivita di controllo nei confronti delle persone fisiche e giuridiche, nel 2019 e stata data attuazione alla normativa prevista dall'art. 38, commi quarto e seguenti del D.P.R. n.600/73 e dal D.M. 24 dicembre 2018 (il cosiddetto Redditometro).

A questo riguardo e ststo predisposto il nuovo applicativo informatico "VE.R.DI.", destinato alle attivita di analisi del rischio sulle persone fisiche e di ausilio alla daterminazione sintetica del reddito.

Si tratta di uno strumento innovativo che sara oggetto di implementazioni e miglioramenti volti ad ottimizzarne le funzionalita.

This translates to English as:


All natural and legal persons are invited to view and strictly follow the Guidelines provided by the Revenue Agency (attached).
It is sufficient to follow the indications to avoid being signaled by the system as a subject "at risk" after the first check based on the c.d. "Redditometro".
The material to be consulted (The Guidelines) is especially recommended for those who use financial telematic services (eg Internet Banking).

As part of the control activity for natural and legal persons, in 2019 the legislation provided for by art. 38, fourth and following paragraphs of the D.P.R. n.600 / 73 and by the D.M. 24 December 2018 (the so-called Redditometro).

In this regard, the new IT application "VE.R.DI." is designed for risk analysis activities on individuals and aids in summarizing income.

It is an innovative tool that will be subject to implementations and improvements aimed at optimizing its functionality.

If a user opens the attached VERDI.doc, the file will be encrypted with RSA encryption and the user must “Enable data” to access it correctly.


Malicious Word Document

If the user allows for the content then an embedded macro will be executed to download and execute the ransomware to the file C:\Windows\Temp\wupd12.14.tmp.


Malicious Macros

When you open your computer, Maze encrypts the wallpaper and switches it to a picture containing information on your files and how to find the ransom note.


Desktop Wallpaper

A ransom note is called DECRYPT-FILES.txt and provides instructions on link to the Maze web page, to pay the decryption key in different amounts depending on the type of device encrypted.


Maze Ransom Note

The ransom amount for our test is $1,200 USD. Unfortunately, no way to decrypt files that have been encrypted by the Maze Ransomware at this point. You are suggested to try to restore encrypted files through backups.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.