SentinelOne vs Maze Ransomware (allowing to run and rollback) | Cognizant

On April 17th, it was reported that a large enterprise-class, managed service provider (Cognizant) fell victim to a Maze ransomware attack. This particular campaign includes a signed DLL payload (kepstl32.dll). Upon infection, the trojan will drop a customized desktop image into %temp%, and then traverse the disk, encrypting supported file-types. A copy of the ransom instructions “DECRYPT-FILES.txt” is dropped into each folder containing encrypted files. As with previous variants of Maze, the trojan will attempt to inhibit recovery by deleting shadow copies via WMIC.exe (wmic.exe shadowcopy delete). To read more: https://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/