[BreachExchange] 'Work pressure' sees Maze ransomware gang demand payoff from wrong company

Destry Winant destry at riskbasedsecurity.com
Wed Jun 24 10:35:51 EDT 2020


The Maze ransomware gang has screwed up by targeting a New York design
and construction firm instead of the Canadian Standards Association it
was intending to hit.

While Google returns plenty of hits for the search term "csa group",
almost all of which refer to Canada's answer to the British Standards
Institute, there is one exception: an architectural practice located
in New York.

It happens to share a name and – almost – a web domain name with its
northerly namesakes, being online at csagroup-dot-com. The Canadian
standards folk, however, have the domain csagroup-dot-org. And just
like that, the New Yorkers got caught in the ransomware crossfire when
the Maze gang began hunting for their next target.

Maze's modus operandi is to infect the target company's network with
ransomware, exfiltrate and encrypt everything within sight, then
demand a hefty ransom in return for a promise to unencrypt and delete
the data, along with a promise not to reveal the stolen data to
others. If companies don't pay up, the gang begins drip-feeding data
online to increase the pressure on them.

Brett Callow, a threat researcher with infosec biz Emsisoft, spotted
the Maze gang's howler after inspecting data they dumped online to try
to menace CSA Group Canada into paying up. He told The Register: "This
is not the first time ransomware cockwombles have cocked up. In a
previous incident, DoppelPaymer incorrectly identified a bank after
hitting another bank with a very similar name. But at least they had
the decency to post an apology to the wrongly named financial

Posh Spice's perfume people pop up in Maze ransomware gang extortion effort

Callow told us that when he checked a data sample dumped online by
Maze he found documents referring to the design and construction of
buildings in the US island enclave of Puerto Rico. Some files appeared
to have been sent from csagroup-dot-com email addresses – pointing to
the architects being the actual victims of the ransomware rather than
the Canadian standards-setting agency.

Emsisoft's man opined that "work pressures" had driven Maze's
operatives into making the blunder as the COVID-19 pandemic burns
companies' ready cash and deprives them of the ability to pay ransoms,
saying: "In fact, the group hinted at this in one of their so-called
press releases stating, 'We are living in the same economic reality as
you are. That's why we prefer to work under the arrangements and we
are ready for compromise.'"

Echoing El Reg's sentiments, Callow added: "My heart bleeds."

So far Maze's leaks website continues to name the wrong firm next to
the data dump.

The Register has continued to try to contact CSA Group (the New York
architects), which is proving difficult as the firm has pulled its
website offline and appears to be an infrequent user of its social
media profiles. We have also contacted the Canadian standards agency
for comment. ®

More information about the BreachExchange mailing list