Euro Security Watch with Mathew J. Schwartz

Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Maze Ransomware Gang Dumps Purported Victim List

Cybercrime Gang's 'Naming and Shaming' Tries to Pressure Victims Into Paying
Maze Ransomware Gang Dumps Purported Victim List

Criminals often pursue any angle that gives them greater leverage against potential victims.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

The gang behind Maze ransomware, for example, is trying to up the psychological ante against victims that have refused to pay its ransom demand in exchange for the promise of a decryptor. By publicly identifying these organizations, and releasing a list of crypto-locked systems and a sample of filenames, Maze is attempting to convert prospective "clients" into paying customers (see: Ransomware Gangs Practice Customer Relationship Management).

The gang has posted teasers of stolen information to its "Maze Team" website over the past two days. "Represented here companies don't wish to cooperate with us, and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!" the site reads.

The intent is clear: By naming and shaming victims, the Maze gang is trying to psychologically compel them to pay.

I'm not going to link to the site, since it furthers the gang's aims. But so far, the gang has listed eight organizations, all of which it says fell victim to attacks that are "lock dated" from Oct. 21 to Dec. 9.

Banner atop the Maze gang's site listing purported victims that have refused to meet its ransom demands

The Maze gang also claims to have exfiltrated data from the organizations, ranging from auditing spreadsheets and mutual confidentiality agreements to documents detailing privileged accountholders and patent applications. Total amounts of data stolen range from 1.5 GB to 120 GB. The victim organizations are located in Canada, France, Italy, the U.K. and the U.S.

Maze Has Form for Exfiltration

The Maze gang's claim that it exfiltrated data from organizations that it crypto-locked couldn't be verified. Such activity is extremely rare.

Except that last month, the Maze gang did publish almost 700 MB of data that it stole from Allied Universal, a California-based security services firm, as Bleeping Computer reported (see: Ransomware Attackers Leak Stolen Data).

The "Maze Crew" told the security publication and ransomware victim support site that the leak only represents a fraction of the 5 GB of data they stole, and that they would dump the rest - sending it to WikiLeaks - unless Allied Universal coughed up a ransom of 300 bitcoins, now worth about $2.1 million. The state of any negotiations remains unclear.

What's notable here is that the Maze gang didn't cherry-pick intellectual property or potentially embarrassing information from the stolen Allied information. Instead, it looks like they're just seeking a further way to potentially embarrass a victim into paying them.

"Maze themselves pointed out that the data is unimportant to them," Bleeping Computer Editor Lawrence Abrams told me last month. "They don't want to monetize it on its own, but to use it purely as leverage to get the company to pay the ransom."

Not Listed: Pensacola

One apparent Maze victim that isn't on the gang's list of victims that have not paid is the city of Pensacola, Florida, which was hit on Dec. 7 by a ransomware attack that reportedly involved Maze (see: City of Pensacola Recovering From Ransomware Attack).

Does that mean the city has paid a ransom? So far, that's not clear. But as ProPublica has reported, the Florida League of Cities provides insurance coverage to more than 550 public entities in the state, including 250 municipalities. For cyber policies, the league's reinsurer is Beazley, which shares the risk. But it's not clear if Pensacola holds such a policy (see: Do Ransomware Attackers Single Out Cyber Insurance Holders?).

Under Pressure

Regardless, the Maze gang's attempt to embarrass victims into paying is a well-worn tactic, often seen in sextortion attacks involving criminals threatening to release explicit images or videos of victims (see: Sextortion Scheme: Former U.S. Official Pleads Guilty).

Many types of crime attempt to use one of six "influencing levers," which are techniques for influencing the subconscious defined by psychologist Robert Cialdini, an expert on the "principles of persuasion." The levers are reciprocity, commitment and consistency, social proof - copying the actions of others - as well as authority, liking and scarcity.

As McAfee researchers Raj Samani and Charles McFarland write in a "Hacking the Human Operating System" research report: "These influencing levers are used for many purposes - including sales, cons (trying to extract money from people) and social engineering."

In the case of Maze, the group is obviously attempting to socially engineer victims who haven't paid into paying. In that respect, while the tools they wield may differ from other cybercrime groups, the intention is the same: To earn the easiest and quickest criminal payday possible, now with added psychological pressure (see: Roses Are Red, Romance Scammers Make You Blue).

Data Breach Implications

What remains to be seen, however, is whether other ransomware gangs will emulate Maze's tactics. But the writing is on the wall. As Bleeping Computer reported last week, the operators of the Sodinokibi - aka REvil - ransomware-as-a-service gang have threatened to exfiltrate and then either dump or sell stolen data if victims opt to not meet its affiliates' ransom demands (see: Sodinokibi Ransomware Gang Appears to Be Making a Killing).

Forum post by REvil operator (Source: Bleeping Computer)

Again, while gangs have threatened to do this for years, it only really came to pass with last month's release of Allied Universal data. And if it becomes common, it means that ransomware attacks will be about much more than simply attempting to restore data, or weighing the ethical quandaries of paying your extortionist.

"Ransomware attacks are now data breaches," Abrams tells security blogger Brian Krebs. "During ransomware attacks, some threat actors have told companies that they are familiar with internal company secrets after reading the company's files. Even though this should be considered a data breach, many ransomware victims simply swept it under the rug in the hopes that nobody would ever find out. Now that ransomware operators are releasing victims' data, this will need to change and companies will have to treat these attacks like data breaches."

Security experts expect to see a greater number of blended extortion efforts going forward. "We expect 'double whammy' attacks in which data is both encrypted and stolen to continue to be a trend, at least in the short term," says Brett Callow of security firm Emsisoft (see: Ryuk Eyed as Culprit in New Orleans Ransomware Outbreak).

Businesses, of course, must start taking ransomware prevention more seriously. "This illustrates the need for companies - and governments - to focus on prevention and detection," Callow tells me. "It also illustrates the need for better reporting and disclosure requirements, not least because leaked data can put a company's customers at risk, and their business partners."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.