Maze Ransomware Operators Publish Victim Data Online

As if having their data encrypted wasn’t bad enough, businesses that fell victim to Maze ransomware now face another threat: their data could become public.

For a while, Maze’s operators have been harvesting data from the victim organizations, to eventually use it as leverage if payment to decrypt files is not received. Now, they threaten to release the data for all those victims who refuse to pay the ransom.

In this regard, the threat actor came up with a website where they list the names and websites of eight companies that allegedly refused to pay the demanded amount to recover their data.

According to security journalist Brian Krebs, at least one of the companies on that list was indeed targeted with Maze ransomware, although the incident did not make headlines.

On said website, the Maze operators publish data such as initial date of infection, some stolen documents (Office, text and PDF files), the total volume of data supposedly harvested from the organization, and the IP addresses and machine names of the infected servers.

The move is not surprising, especially since the individuals behind Maze have been engaged in exfiltrating victim data for a while now, and have also been threatening to out that information publicly if the victim does not pay the requested ransom.

In one incident where the Maze ransomware was deployed, the attackers first leveraged Cobalt Strike after gaining access to the network, to gather data on the victim environment and move laterally. A technique commonly associated with Russian threat actor Cozy Bear was also employed.

Next, the hackers started exfiltrating data using PowerShell to connect to a remote FTP server. Only after this step was completed they deployed Maze ransomware to encrypt the victim’s files.

In another incident, which Cisco Talos attributes to the same actor, Cobalt Strike was used again after the initial compromise, and PowerShell was employed to dump large amounts of data via FTP. The attackers then demanded payment before making the information public.

The two incidents are connected mainly through the employed command and control (C&C) infrastructure — the data was dumped to the same server as in the previously mentioned incident — the use of 7-Zip to compress the harvested data, interactive logins via Windows Remote Desktop Protocol, and remote PowerShell execution.

“The use of targeted ransomware attacks isn’t new and, unfortunately, it’s not going anywhere anytime soon. This is an extremely lucrative attack avenue for adversaries and as such, its popularity is likely only going to increase. What makes these particular attacks interesting is the additional monetization avenue of exfiltrating data in the process,” Talos points out.

With this data in hand, the threat actor can demand more money from the victim, or could monetize it by selling it on dark web markets to other cybercriminals. Not to mention that organizations may pay up to avoid the damage caused by the release of their data.

“This trend of achieving maximum monetary gain for their nefarious activities is increasingly common in the crimeware space […]. Expect adversaries to be increasingly aware of the systems and networks they are compromising as all systems and networks are not created equally and some have much higher profit margins, when compromised,” Talos concludes.

Related: The Growing Threat of Targeted Ransomware

Related: Cobalt Strike Bug Exposes Attacker Servers