Threat to Publish Stolen Data by Maze Ransomware Group Increasing

The threat actors responsible for the Maze ransomware attacks are threatening their victims that they will post the information stolen during ransomware attacks if they do not pay the ransom.

In December, Southwire in Carrollton, GA did not pay the 200 BTC ($1,664,320) ransom demand, which prompted the threat actors to post some of Southwire’s stolen data. The wire and cable company took legal action against the Maze Group and the ISP providing website hosting for the Maze group. Southwire won the legal case and so the website was closed down; however, the website became live again using a different ISP after a few days. The webpages show the names of the organizations attacked by the group, which failed to pay the ransom demand, along with some stolen data from their organizations.

Medical Diagnostic Laboratories (MDLab) based in New Jersey was attacked by the Maze Group on December 2, 2019. MD Lab got in touch with the attackers but did not end up paying the ransom. According to the Maze website, there were 231 workstations encrypted when MD Lab was attacked. Non-payment of the ransom prompted the Maze Group to publish 9.5GB of MDLab’s private research data including immunology research data. In addition, the Maze Group created an ad on a forum for hackers selling MDLab’s stolen data to try to restart negotiations with the company. According to Bleeping Computer, the ransom demand is 200 BTC in exchange for the 100GB of stolen data, which is 100 BTC ($832,880) for the decryption keys and another 100 BTC for deletion of the stolen data.

In past times, attackers threatened to publish the data stolen from ransomware attacks, however, none was actually published until December 2019 when the Maze Group began posting stolen data. Nowadays, the attackers’ web page shows some stolen information from 29 companies that did not pay the ransom.

At the beginning of January 2020, the Center for Facial Restoration, Inc. encountered a ransomware attack just like the ransomware attack on November 8, 2019. Before deploying the ransomware, the threat actors stole patient data and then told the healthcare company plus 10 to 20 patients to pay the ransom. The Center for Facial Restoration believes the attackers stole around 3,500 persons’ photos and personal information.

Stealing information entails network access by the attackers, looking for sensitive data and exfiltrating it without getting caught. Attackers of this type need to have more skills to execute the attack compared to the usual ransomware attack. Even so, such data theft cases are increasing. The Nemty and Sodinokibi gangs are also using this strategy now to force victims to pay.