Maze: The operators behind the Maze ransomware appear to have already gone back on their word after promising not to target medical facilities during the global COVID-19 pandemic. Last week, the criminal groups that use Maze and DoppelPaymer stated that in the interest of public health, they would temporarily leave medical facilities alone. This did not stop Maze from attacking Hammersmith Medicines Research, a medical facility designated to test vaccines for COVID-19, just prior to making their “promise.” Even after claiming that they would leave medical facilities alone, the Maze operators continued to post data files stolen from Hammersmith on their website. After being called out for leaving Hammersmith’s files on their site, the group has “temporarily removed” public access to the data but not the company’s listing on their list of current victims. The Maze operators also posted a public message yesterday attempting to excuse their actions by claiming that they are providing a “public service” by exposing companies with weak cybersecurity controls. They went on to call those watching them “unprofessional” for calling out their breach of Hammersmith–which they felt should not be included in their promise since it happened several days prior to their agreement to leave medical facilities alone.
Analyst Notes
The fact that Maze did not fully remove the listing for Hammersmith and only listed the sample files as “temporarily removed” indicates that the group will probably ransom the data again once the COVID-19 pandemic has passed. Hammersmith was not locked out of their systems by the attack because the company identified and stopped the attack in the early stages and were able to restore their systems from backups. Having effective endpoint monitoring in place to quickly detect attacks is an important part of a strong security program to keep attacks from causing extensive damage. Maintaining offline backups that are out of attackers’ reach is another critical security control that allows operations to quickly resume after an attack is stopped. More information on this incident can be found at: https://www.forbes.com/sites/daveywinder/2020/03/23/covid-19-vaccine-test-center-hit-by-cyber-attack-stolen-data-posted-online/
