[BreachExchange] Maze ransomware group hacks oil giant; leaks data online

Destry Winant destry at riskbasedsecurity.com
Wed Apr 8 10:31:36 EDT 2020


On April 1st, 2020, Berkine became a victim of cyber-attack by the
notorious Maze ransomware group that is known for its unique
blackmailing practices.

The attackers managed to steal the entire database containing over
500MB of confidential documents related to budgets, organizational
strategies, production quantities, and similar sensitive data.

The Maze ransomware group leaked the database containing information
about the Sonatrach oil firm.

Berkine is a joint venture of Algeria’s state-owned oil firm Sonatrach
and Anadarko Algeria Company, a subsidiary of a US-based firm
previously known as Anadarko Petroleum Corp. and currently Oxy

According to Under the Breach, a service that exclusively monitors
data breaches and works for its prevention stated that the documents
posted online are related to financial details and investment plans of
the company.

The leaked data includes the Berkine group’s cost price per barrel,
organizational goals for the year 2020, and budgets allocated for
various missions of the two owners of Berkine. The database also
contains a list of Berkine employees including their contact details
and travel documents of some of them.

The screenshot shows leaked data on Maze ransomware group’s website
(Via Under The Breach)

The maze ransomware group has quickly become the biggest threat to
organizations around the world. The French National Agency for
Security of Information Systems (ANSSI) examined this group after it
attacked a subsidiary of Bouygues in January 2020.

As per the ANSSI, the group has been active since May 2019 and “is
mainly known to be associated with Internet disclosures of information
presented as originating from compromised information systems”.

The Maze ransomware, assessed ANSSI, is a variant of the ChaCha20
cryptographic algorithm, which is one of the most feared data
encryption software.

The agency also identified that the group employs extreme tactics to
pressurize the victims who refuse to pay the ransom or delay the
payment. They, not only encrypt the data but also exfiltrate it prior
to encrypting it and later use it to blackmail the victim into paying
their desired ransom.

Moreover, the group keeps releasing some of the data and even post it
on hacker forums for phishing purposes if the victim doesn’t give in
to their demands.

More information about the BreachExchange mailing list