Maze: The threat actors behind the Maze ransomware have returned to publicly releasing data stolen from victim companies. This return comes following a brief reprieve for victims after the group had lost their hosting provider. The threat group obtained a new hosting provider last week and has now returned to sharing portions of their victims’ data online. Over 14 GB of data stolen from the company Southwire has been published. The victims listed on the threat group’s “news” website are only a portion of their overall victims. Maze claims to only publish stolen data from their victims when they refuse to “cooperate” and pay the ransom demand. Shortly after Southwire filed a lawsuit against the operators of the Maze ransomware, the operators of Maze announced that they had planned to release 10% of the stolen data every week until the ransom is paid. In light of the lawsuit, the threat actors now say they have “something more interesting” planned but have yet to elaborate on what that means.
While holding data for ransom or threatening to release stolen information are not new ideas, this is the first time that a major ransomware operator has used this tactic to convince victims to pay ransom demands. Previously, the threat group known as “thedarkoverlord” was known for stealing data and then releasing it when ransoms by the data’s owner were not paid. This new trend has the potential for victim companies to be pressured into paying ransomware operators even if data is properly backed up and could be restored. In the past, regular backups and air-gapped storage of backups have been effective means of recovering from ransomware attacks. Now it is more important than ever to not just back up data, but also prevent attackers from gaining access to steal data. Detecting unusual patterns of data access by internal user accounts and alerting on large outbound data transfers can provide warning that an attack may be in progress. Endpoint Detection and Response (EDR) and monitoring of logs can help defenders spot unusual patterns of behavior before attackers do more damage. Having confidential data and employee information published online can be just as detrimental to a company as having data deleted by ransomware operators. More information on this issue can be found at https://securityaffairs.co/wordpress/96334/cyber-crime/maze-ransomware-southwire.html