TA2101: The group behind the Maze ransomware, which is now being identified by TA2101, has published 700 MB of data that was allegedly stolen from Allied Universal, a security staffing firm. The published data is only 10% of the data that was stolen according to sources. After missing the deadline for an extortion payment, the group behind the Maze ransomware held to their word and released the data. The threat actors reached out directly out to Bleeping Computer, informing them of the infection and details on what happened. TA2101 stated they asked the company to pay a ransom to decrypt their files and not have any data leaked. Maze actors also stated in their message that they would alert the news to the breach if the ransom was not paid. After releasing 10% of the stolen data, the group told Allied Universal that they will release the other 90% of data if the company does not pay an increased ransom. Allied Universal was aware of the situation and was working on their investigation to determine which avenue would be best to pursue. The ransom was not paid, which could partially be to confusion about the time zone used for the deadline – the threat group stated they are located somewhere in Asia. Allied Universal has not commented since the data was released.
Analyst Notes
In some instances, ransomware groups will threaten the release of documents if the ransom is not paid, but then never follow up with that threat. In this case, the actors behind the Maze ransomware, which has been gaining popularity since May 2019, decided to release the data–most likely using it as a proof of concept for the next company that they infect, proving they have access to the data and are not afraid to release it. TA2101 did state that they are not interested in the company’s data, only their money, but in this case, they did not receive the ransom payment and the threat actors decided to release the data. By leaking the data that was stolen, they have sent a message to their next victim that they must pay. Having backups of files is typically suggested for ransomware so that files that get decrypted can be recovered through backups and the ransom does not have to be paid. In this case, even having backups would not have helped the company because the data was stolen before encryption. Using a defense in depth strategy that includes not only firewalls and antivirus products, but also an endpoint detection and response capability with skilled analysts to monitor for attacker behavior, would help find and stop these types of attacks before they can spread across a network, limiting the amount of data a threat actor would be able to steal.
For the full story from Bleeping Computer: https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/
