Euro Security Watch with Mathew J. Schwartz

Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

Maze Ransomware Gang Continues Data-Leaking Spree

Latest Named Victims Include Engineering Firm, Furniture Manufacturer, Pet Spa
Maze Ransomware Gang Continues Data-Leaking Spree
Maze's data-leaking site

The Maze ransomware gang is continuing to exfiltrate data from victims before crypto-locking their systems, then leaking the data to try to force non-payers to accede to its ransom demands.

See Also: Gartner Magic Quadrant for APM

Don't want to play ransomware gangs' latest games? Then ensure your firm has a solid ransomware response plan in place, including the ability to wipe and restore systems in the event that crypto-locking malware gets through. Otherwise, your organization risks not only showing up on one or more gangs' data-leaking sites, but also potentially having to consider paying a ransom to get encrypted data back (see: Crypto-Lock and Tell: Ransomware Gangs Double Down on Leaks).

"If you do pay, you have to recognize that this is not like paying a corporate bill." 

The latest victim proclaimed by Maze: Toronto-based CSA Group Testing & Certification (csagroup.org), which tests, inspects and certifies products worldwide to ensure they comply with relevant safety, environmental and operating performance standards. Formerly known as Canadian Standards Association, CSA's work includes testing and certifying personal protective equipment.

The good news, however, is that Maze, in fact, apparently didn't hit that organization, which is doing essential tests on PPE during the COVID-19 pandemic.

The gang appears to have confused that organization with another CSA Group (csagroup.com), which is an engineering program management firm based in New York that unfortunately appears to have had corporate data stolen before its systems were encrypted. CSA Group didn't immediately respond to my request for comment.

Fresh Victims

Maze continues to maintain a "news" site, where it's listing dozens of victims as it attempts to name-and-shame them into paying. If that doesn't work, then it tries to increase the pressure to pay by leaking stolen data.

In recent days, Maze's site has listed many new victims, including semiconductor manufacturer MaxLinear, which this week confirmed that it got hit by Maze in April and that some "proprietary information" got stolen. On Monday, Maze began leaking data it stole from MaxLinear.

The same goes for CSA: So far Maze has released three zipped archives containing alleged CSA data, including contract and purchase orders for the engineering firm.

Other organizations recently named as being victims on Maze's site also include:

  • Ansen Corporation in Ogdensburg, New York;
  • Bauhaus Furniture Group - owned by La-Z-Boy - in Saltillo, Mississippi;
  • Comwave In Toronto;
  • Cincinnati Red Dog Pet Resort & Spa;
  • J.W. Smith Customs Brokers in Ontario, Canada;
  • Louisville, Kentucky-based What Chefs Want and its Columbus subsidiary Midwest Fresh.

"Represented here companies do not wish to cooperate with us, and trying to hide our successful attack on their resources," Maze's site states. "Wait for their databases and private papers here."

Under Pressure

Maze blazed the data-leaking trail last November, quickly followed by other groups wielding ransomware such as DoppelPaymer, MegaCortex, Nemty, Snatch and Sodinokibi, aka REvil.

In recent weeks, Maze has also joined forces with other gangs to host their leaks on its site. The RagnarLocker gang, meanwhile, has begun cross-posting Maze's leaks (see: 7 Ransomware Trends: Gangs Join Forces, Auction Stolen Data).

But not everyone gives in to these groups' ransom demands, even when backed by the threat of data leaking.

The Maze gang's leaks site, for example, also hosts "full dumps" for at least 10 organizations that didn't pay, leading to the gang publishing all of the information it stole in an attempt to scare future victims into paying.

After Infection: What Happens Next?

Security experts say the best defense against ransomware remains preparation (see: Surviving a Breach: 8 Incident Response Essentials).

By having good security defenses in place, and up-to-date backups stored offline - so they cannot be crypto-locked by ransomware - victims can wipe and restore systems. This still takes time and energy, and doesn't address the root cause of how attackers infected systems in the first place, which organizations must also ascertain. But this strategy avoids victims having to even consider whether or not they might pay criminals.

The U.S. Cybersecurity and Infrastructure Security Agency offers a detailed list of additional best practices for defending against ransomware. For organizations or individuals that fall victim, it recommends reporting the incident immediately to CISA, or a local FBI or U.S. Secret Service field office, to potentially receive help for dealing with that particular strain.

Don't Overlook Employee Training

Seeing gangs such as Maze continuing to notch new victims is a reminder to all organizations to get a ransomware-response plan in place - including training employees - immediately if they don't already have one.

Security firm Kaspersky surveyed 2,000 business employees in the U.S. and another 1,000 in Canada last November and found that 45% said they didn't know what to do if they got hit by ransomware.

While leading the response would arguably be the job of management - backed by the security team and in-house counsel, for starters - training employees in how to recognize and respond to ransomware remains essential, experts say. (Kaspersky's tip: Disconnect any systems that appears to have been infected with ransomware from the internet and local networks as quickly as possible, but do not turn it off.)

Prepare or Pay

Unfortunately, too many organizations don't seem to be well-prepared.

"Many organizations discover that something that they would have thought about years ago, like backup, is something that didn't get really thought about in a long time," says Alan Brill, senior managing director in Kroll's cyber risk practice. "They maybe said: Well, we have backup, it's on the cloud and so we don't have to worry about it."

That might be true, at least until ransomware attackers forcibly encrypt the backups too.

In such cases, paying criminals for the promise of a decryption tool is no panacea because it directly funds cybercrime (see: Ransomware Reminder: Paying Ransoms Doesn't Pay). Regardless, Brill recommends working with experts who have handled these sorts of incidents before and who know the ins and outs of different strains of ransomware and attack groups. Any organization that holds a cyber insurance policy that includes ransomware coverage, for example, will already have access to these types of resources.

"If you do pay, you have to recognize that this is not like paying a corporate bill," Brill tells me. "You're dealing with criminals, and you might get a fully functional key, you might get a nonfunctional key. You might get a key that only opens certain files, and they come back for a second payment to get the rest of the files. It might decrypt everything but what you don't realize is they already have a copy of it, so you have an actual data breach. Or you might never hear from them again: They just took the money and ran."

Really, who wants to play that game? That's why it's always better to prepare.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.