[BreachExchange] Maze Ransomware Gang Continues Data-Leaking Spree

Destry Winant destry at riskbasedsecurity.com
Mon Jun 22 10:19:45 EDT 2020


The Maze ransomware gang is continuing to exfiltrate data from victims
before crypto-locking their systems, then leaking the data to try to
force non-payers to accede to its ransom demands.

Don't want to play ransomware gangs' latest games? Then ensure your
firm has a solid ransomware response plan in place, including the
ability to wipe and restore systems in the event that crypto-locking
malware gets through. Otherwise, your organization risks not only
showing up on one or more gangs' data-leaking sites, but also
potentially having to consider paying a ransom to get encrypted data
back (see: Crypto-Lock and Tell: Ransomware Gangs Double Down on

"If you do pay, you have to recognize that this is not like paying a
corporate bill."

The latest victim proclaimed by Maze: Toronto-based CSA Group Testing
& Certification (csagroup.org), which tests, inspects and certifies
products worldwide to ensure they comply with relevant safety,
environmental and operating performance standards. Formerly known as
Canadian Standards Association, CSA's work includes testing and
certifying personal protective equipment.

The good news, however, is that Maze, in fact, apparently didn't hit
that organization, which is doing essential tests on PPE during the
COVID-19 pandemic.

The gang appears to have confused that organization with another CSA
Group (csagroup.com), which is an engineering program management firm
based in New York that unfortunately appears to have had corporate
data stolen before its systems were encrypted. CSA Group didn't
immediately respond to my request for comment.

Fresh Victims

Maze continues to maintain a "news" site, where it's listing dozens of
victims as it attempts to name-and-shame them into paying. If that
doesn't work, then it tries to increase the pressure to pay by leaking
stolen data.

In recent days, Maze's site has listed many new victims, including
semiconductor manufacturer MaxLinear, which this week confirmed that
it got hit by Maze in April and that some "proprietary information"
got stolen. On Monday, Maze began leaking data it stole from

The same goes for CSA: So far Maze has released three zipped archives
containing alleged CSA data, including contract and purchase orders
for the engineering firm.

Other organizations recently named as being victims on Maze's site also include:

- Ansen Corporation in Ogdensburg, New York;
- Bauhaus Furniture Group - owned by La-Z-Boy - in Saltillo, Mississippi;
- Comwave In Toronto;
- Cincinnati Red Dog Pet Resort & Spa;
- J.W. Smith Customs Brokers in Ontario, Canada;
- Louisville, Kentucky-based What Chefs Want and its Columbus
subsidiary Midwest Fresh.

"Represented here companies do not wish to cooperate with us, and
trying to hide our successful attack on their resources," Maze's site
states. "Wait for their databases and private papers here."

Under Pressure

Maze blazed the data-leaking trail last November, quickly followed by
other groups wielding ransomware such as DoppelPaymer, MegaCortex,
Nemty, Snatch and Sodinokibi, aka REvil.

In recent weeks, Maze has also joined forces with other gangs to host
their leaks on its site. The RagnarLocker gang, meanwhile, has begun
cross-posting Maze's leaks (see: 7 Ransomware Trends: Gangs Join
Forces, Auction Stolen Data).

But not everyone gives in to these groups' ransom demands, even when
backed by the threat of data leaking.

The Maze gang's leaks site, for example, also hosts "full dumps" for
at least 10 organizations that didn't pay, leading to the gang
publishing all of the information it stole in an attempt to scare
future victims into paying.

After Infection: What Happens Next?

By having good security defenses in place, and up-to-date backups
stored offline - so they cannot be crypto-locked by ransomware -
victims can wipe and restore systems. This still takes time and
energy, and doesn't address the root cause of how attackers infected
systems in the first place, which organizations must also ascertain.
But this strategy avoids victims having to even consider whether or
not they might pay criminals.

The U.S. Cybersecurity and Infrastructure Security Agency offers a
detailed list of additional best practices for defending against
ransomware. For organizations or individuals that fall victim, it
recommends reporting the incident immediately to CISA, or a local FBI
or U.S. Secret Service field office, to potentially receive help for
dealing with that particular strain.

Don't Overlook Employee Training

Seeing gangs such as Maze continuing to notch new victims is a
reminder to all organizations to get a ransomware-response plan in
place - including training employees - immediately if they don't
already have one.

Security firm Kaspersky surveyed 2,000 business employees in the U.S.
and another 1,000 in Canada last November and found that 45% said they
didn't know what to do if they got hit by ransomware.

While leading the response would arguably be the job of management -
backed by the security team and in-house counsel, for starters -
training employees in how to recognize and respond to ransomware
remains essential, experts say. (Kaspersky's tip: Disconnect any
systems that appears to have been infected with ransomware from the
internet and local networks as quickly as possible, but do not turn it

Prepare or Pay

Unfortunately, too many organizations don't seem to be well-prepared.

"Many organizations discover that something that they would have
thought about years ago, like backup, is something that didn't get
really thought about in a long time," says Alan Brill, senior managing
director in Kroll's cyber risk practice. "They maybe said: Well, we
have backup, it's on the cloud and so we don't have to worry about

That might be true, at least until ransomware attackers forcibly
encrypt the backups too.

In such cases, paying criminals for the promise of a decryption tool
is no panacea because it directly funds cybercrime (see: Ransomware
Reminder: Paying Ransoms Doesn't Pay). Regardless, Brill recommends
working with experts who have handled these sorts of incidents before
and who know the ins and outs of different strains of ransomware and
attack groups. Any organization that holds a cyber insurance policy
that includes ransomware coverage, for example, will already have
access to these types of resources.

"If you do pay, you have to recognize that this is not like paying a
corporate bill," Brill tells me. "You're dealing with criminals, and
you might get a fully functional key, you might get a nonfunctional
key. You might get a key that only opens certain files, and they come
back for a second payment to get the rest of the files. It might
decrypt everything but what you don't realize is they already have a
copy of it, so you have an actual data breach. Or you might never hear
from them again: They just took the money and ran."

Really, who wants to play that game? That's why it's always better to prepare.

More information about the BreachExchange mailing list