Threat Watch

Maze Operator Leak More Files Belonging to Banco de Costa Rica

Maze: In late April the operators behind the Maze ransomware publicly claimed that they had compromised servers belonging to Banco de Costa Rica (BCR). At the time, BCR claimed that there was no evidence that their systems had been compromised. Days after that statement, Maze offered up proof of the compromise in the form of published data pertaining to BCR’s network structure. Late last week, Maze published two more files which supposedly contain payment card data. According to the group’s statement they will continue to post another file every week.

ANALYST NOTES

The screenshot of the data that Maze posted on their site shows what appears to be payment card track 2 data next to dates and times in January 2018, which possibly refer to times of old payment transactions. If all of the data is more than two years old and does not include details such as the cardholder’s name and address, it may be of limited value to criminals to use for fraud. While their statement only says that they will continue to post a new file each week, it is possible that this will only continue until BCR responds to their ransom demands. Maze is continuing the charade that their actions are meant to help people by bringing to light the security flaws of the organizations and institutions that they trust with their data. Whether they truly believe that or merely say it in an attempt to justify their actions remains to be seen. As it continues to be pointed out by many in the information security industry, all ransomware attacks should be treated as data breaches. The best defense against these attacks is a combination of the 3-2-1 rule and monitored Endpoint Detection and Response (EDR). Have three copies of data backed up, stored on at least two different media types, and store at least one copy off site. The early detection afforded by EDR solutions allow for containment of an intrusion to minimize the amount of data accessed by attackers. More information on this incident can be found at:
https://www.finextra.com/newsarticle/35891/maze-ransomware-gang-begin-leak-of-banco-bcr-card-data
More information on the initial breaches and BCR’s response can be found at: https://ticotimes.net/2020/05/24/bcr-confirms-financial-information-has-leaked-after-cybercrime-group-claims-to-publish-private-data-updated