Skip to content ↓ | Skip to navigation ↓

Digital attackers are leveraging a new malspam campaign to target Italian users with samples of the Maze ransomware family.

Security researcher JAMESWT observed the Maze ransomware campaign targeting users in Italy with attack emails that pretend to originate from the Agenzia delle Entrate, or the Italian Revenue Agency. The body of the emails informed recipients that they would need to begin complying with new guidelines issued by the Agency. In support of this ruse, the email arrived with an attachment called “VERDI.doc” that claimed to spell out those new guidelines.

The attack email used in this campaign. (Source: Bleeping Computer)


Si invitano tutte le persone fisiche e giuridiche a visionare e seguire con rigore Le Linee Guida fornite dall’Agenzia delle Entrate (in allegato).
E sufficiente seguire le indicazioni per evitare di essere segnalato dal sistema come un soggetto “a rischio” dopo il primo controllo basato sul c.d. “redditometro”.
Il materiale da consultare (Le Linee Guida) viene consigliato specialmente ai soggetti che utilizzano i servici telematici finanziari (es. Internet Banking).

Nell’ambito dell’attivita di controllo nei confronti delle persone fisiche e giuridiche, nel 2019 e stata data attuazione alla normativa prevista dall’art. 38, commi quarto e seguenti del D.P.R. n.600/73 e dal D.M. 24 dicembre 2018 (il cosiddetto Redditometro).

A questo riguardo e ststo predisposto il nuovo applicativo informatico “VE.R.DI.”, destinato alle attivita di analisi del rischio sulle persone fisiche e di ausilio alla daterminazione sintetica del reddito.

Si tratta di uno strumento innovativo che sara oggetto di implementazioni e miglioramenti volti ad ottimizzarne le funzionalita.

Here is an English translation of the attack email’s body content:


All natural and legal persons are invited to view and strictly follow the Guidelines provided by the Revenue Agency (attached).
It is sufficient to follow the indications to avoid being signaled by the system as a subject “at risk” after the first check based on the c.d. “Redditometro”.
The material to be consulted (The Guidelines) is especially recommended for those who use financial telematic services (eg Internet Banking).

As part of the control activity for natural and legal persons, in 2019 the legislation provided for by art. 38, fourth and following paragraphs of the D.P.R. n.600 / 73 and by the D.M. 24 December 2018 (the so-called Redditometro).

In this regard, the new IT application “VE.R.DI.” is designed for risk analysis activities on individuals and aids in summarizing income.

It is an innovative tool that will be subject to implementations and improvements aimed at optimizing its functionality.

Once opened, “VERDI.doc” informed the recipient that its content was encrypted with the RSA encryption algorithm and that they would need to “Enable Content” to view the new guidelines. Users who complied unknowingly executed an embedded macro that downloaded a sample of Maze ransomware and then executed it.

Maze is a relatively new threat that’s thus far attracted the security community’s attention by turning to various exploit kits for distribution. Back in July, for instance, Cisco Talos observed digital attackers using the Fallout exploit kit to deliver the ransomware. It was just a few months later when Bleeping Computer discovered a campaign in which the Spelevo exploit kit used a Flash Player flaw to distribute Maze.

In its newest attack, Maze encrypted the malspam recipient’s computer and changed the desktop’s background to its ransom note. This message instructed the victim to visit the ransomware’s payment site and purchase a decryption key.

In its analysis, Bleeping Computer found that Maze’s handlers were asking $1,200 as ransom.

There’s no way for Maze ransomware victims to recover their files for free at this time. That’s why they should focus on preventing a ransomware infection in the first place using these recommendations.