Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Maze Ransomware Operators Publish Victim Data Online

As if having their data encrypted wasn’t bad enough, businesses that fell victim to Maze ransomware now face another threat: their data could become public.

As if having their data encrypted wasn’t bad enough, businesses that fell victim to Maze ransomware now face another threat: their data could become public.

For a while, Maze’s operators have been harvesting data from the victim organizations, to eventually use it as leverage if payment to decrypt files is not received. Now, they threaten to release the data for all those victims who refuse to pay the ransom.

In this regard, the threat actor came up with a website where they list the names and websites of eight companies that allegedly refused to pay the demanded amount to recover their data.

According to security journalist Brian Krebs, at least one of the companies on that list was indeed targeted with Maze ransomware, although the incident did not make headlines.

On said website, the Maze operators publish data such as initial date of infection, some stolen documents (Office, text and PDF files), the total volume of data supposedly harvested from the organization, and the IP addresses and machine names of the infected servers.

The move is not surprising, especially since the individuals behind Maze have been engaged in exfiltrating victim data for a while now, and have also been threatening to out that information publicly if the victim does not pay the requested ransom.

In one incident where the Maze ransomware was deployed, the attackers first leveraged Cobalt Strike after gaining access to the network, to gather data on the victim environment and move laterally. A technique commonly associated with Russian threat actor Cozy Bear was also employed.

Next, the hackers started exfiltrating data using PowerShell to connect to a remote FTP server. Only after this step was completed they deployed Maze ransomware to encrypt the victim’s files.

In another incident, which Cisco Talos attributes to the same actor, Cobalt Strike was used again after the initial compromise, and PowerShell was employed to dump large amounts of data via FTP. The attackers then demanded payment before making the information public.

The two incidents are connected mainly through the employed command and control (C&C) infrastructure — the data was dumped to the same server as in the previously mentioned incident — the use of 7-Zip to compress the harvested data, interactive logins via Windows Remote Desktop Protocol, and remote PowerShell execution.

“The use of targeted ransomware attacks isn’t new and, unfortunately, it’s not going anywhere anytime soon. This is an extremely lucrative attack avenue for adversaries and as such, its popularity is likely only going to increase. What makes these particular attacks interesting is the additional monetization avenue of exfiltrating data in the process,” Talos points out.

With this data in hand, the threat actor can demand more money from the victim, or could monetize it by selling it on dark web markets to other cybercriminals. Not to mention that organizations may pay up to avoid the damage caused by the release of their data.

“This trend of achieving maximum monetary gain for their nefarious activities is increasingly common in the crimeware space […]. Expect adversaries to be increasingly aware of the systems and networks they are compromising as all systems and networks are not created equally and some have much higher profit margins, when compromised,” Talos concludes.

Related: The Growing Threat of Targeted Ransomware

Related: Cobalt Strike Bug Exposes Attacker Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...