Maze ransomware grabbed the headlines this year in April, when it targeted the IT services giant, Cognizant. Incident responders have reported that the ransomware tactics used by Maze are fairly new and it might be difficult for businesses to defend themselves against it.
What is happening?
The Kroll incident response team has talked to Maze ransomware operators who discussed some of its inner workings. It is apparent from the FAQ document posted by Maze on their “shaming” site that these attackers are going the extra mile when it comes to pressurizing their victims for a quick pay up.
The status quo
The shaming site was launched by the end of 2019 and the operators kept updating the site frequently with new leaks. This site is used to upload the stolen data, along with the names of the victims. The amount of information leaked is directly proportional to the time a victim takes to make the ransom payment.
What the experts are saying
- Laurie Iacono stated that the group is pretty transparent about their operations, which is rare in the ransomware world.
- The initial ranso demand was nearly USD 2.3 million, as stated by Coveware. This comes second to the ransom demands by Ryuk ransomware.
What you need to know
- The operators actively leverage known vulnerabilities, such as Pulse VPN CVE-2019-11510 alert.
- The group has claimed that if the victims do not pay up, the credentials will be used against the clients and partners of the victims.
- In case of non-payment of ransom, a prepared press release will be sent to the media, along with information on the shaming site.
- If the victim is a publicly-traded organization, the information will be sent to the stock exchange where the victim’s stock is listed.
- According to a healthcare client, the threat actors sent direct emails to patients, threatening to expose their patients' personal health data.
- On the other hand, a mortgage company was only given 24 hours to pay the ransom.
No industry is safe from attacks where the threat actors actively look for data that can compromise the reputation of a company. Thus, it is suggested that companies consider ransomware-specific policies for their incident response plans.