Maze /meɪz/ noun – a network of paths and hedges designed as a puzzle through which one has to find a way.
‘Maze’ is also the name of the ransomware family responsible for a recent Cognizant hit [1]. It is not your typical ransomware either, as it goes beyond encrypting files and asking a BTC payment to recover sensitive data.
This ransomware can spread across the networks, exfiltrating data to the attacker-controlled server.
The data is then held there to push the victims to pay the ransom, and if no payment follows – data is published online.
Most of the time, the group behind this activity targets public sector companies, but has also been involved in attacks on hospitals and labs fighting COVID-19 [2], a hack of two plastic surgery studios [3], and more importantly various managed services providers.
Maze Infection May Not Be Your Fault
When it comes to ransomware incidents, mostly they are the result of basic security oversights on part of the end user. Phishing or spear phishing attacks are used heavily, while Remote Desktop Protocol exploitations also can help the attackers to gain access.
Not the case in this situation.
“We don’t need to use phishing attacks and slowly move from one target to another as we have the access to the hosting provider.” – Maze states.
For that reason, Team Maze doesn’t have a preference on who they will racket next, they are not limiting themselves to a single industry. The FBI and U.S. Department of Homeland Security have warned technology platform providers about the risk of the attacks, and developed a guide to help the MSPs to decrease the risks of infection, so we as users have to hope that those recommendations are followed. [4]
If we return to the criminals, they don’t experience any mental blocks when leaking sensitive data. When it came to the hack of one of the plastic surgery studios, Maze leaked addresses, names, social security numbers, even photos that were taken during surgical procedures.
Other studio have lost patient names, dates of birth, insurance details and income statements, implant forms, as well as before and after photos.
This exploitation tactic puts both patients and companies in a very scrutinizing position, as customers could start questioning how much the company values their data, and the company would be tasked to pay a bill it couldn’t cover even if it wanted.
The situation gets worse when people behind Maze can leak more and more data, putting further pressure on the side that understandably does not wish to cooperate with the criminals.
Maze also somewhat deservingly can expose entities that are lying to their customers about the scope of the data breach.
Costa Rican State-Owned Bank Also In The List of Casualties
However vile Maze operators can be with their ransom tactics, they have taken an interesting position in their “conflict” with Banco BCR.
Maze claimed that it had compromised the infrastructure of the bank back in August of 2019. Then they pointed out that the bank failed to notify other institutions about the breach, as they should have according to the Financial Institutions Protocol.
Hackers noted that servers and workstations were not blocked and that private data was not secured.
Furthermore, the bank decided to conceal the fact of the breach, even though security personnel analyzed the attack logs to understand that the gang had accessed the payment processing system.
As the attackers state, they stopped the attack to minimize the damage, yet returned in February of this year to check if the required fixes were carried out. After realizing that no progress was made on part of the bank, criminals decided to steal over 11 million credit card credentials and transaction information.
On May 5th, the group declared its intentions to leak the data without concealing card numbers. The bank denies that there was a breach, a move that most likely will provoke Maze criminals to leak even more data, proving its legitimacy.
The entities that don’t give in to the demands are usually identified on a web page controlled by Maze operators. Maze added that the ransom is their "reward for pointing out problems in the security system through which half a bank could be pulled out" [5].
Why Is This Ransom Tactic So Effective?
Simply put, just having a backup is not enough to recover from such a hit, as miscreants would still possess a copy of sensitive files.
The new Maze “business model” also got approving nods from other ransomware families, such as REvil. This could be the next level in ransomware progression, and it would be considerably worse than just being hit by ransomware.
To summarize, the new Maze strategy highlights some undesirable outcomes:
- Hackers leak a sample of data extracted after the breach and contact the media about it.
- If the ransom demand is not met, criminals sell stolen information on the Dark Web.
- Breached companies are pressured to inform the stock exchanges, clients, and partners about the loss of sensitive information.
‘Maze’ has taken notice that more companies started backing up their data, and decided to take the next step to put the pressure on the clients who are not willing to pay. It doesn’t mean that companies must stop making backups, of course, that is still a helpful thing to have. While they won’t protect companies from attacks, they may allow the victims to rebuild after one.
Additionally, companies would have to keep their solutions up-to-date and keep an eye on recent vulnerabilities affecting popular platforms. Unique and durable passwords on RDPs would not hurt you in the slightest either, and of course, being honest to your clients, customers and partners should also be a no-brainer move.
To pay or not to pay?
It’s easier to say “don’t pay” when you’re not the one involved in this mishap, so that is the question only you can answer. Keep in mind that the leading ransomware gangs have transitioned from BTC to untrackable Monero cryptocurrency and that paying up doesn’t free you from the clasps of criminals.
Link in die Zwischenablage kopiert!