​Maze ransomware operators once again take to the internet to publish a list of victim organizations

​Maze ransomware operators once again take to the internet to publish a list of victim organizations

  • The new tactic was first adopted in December 2019 by the operators to publish online a portion of the 120 GB of data stolen from Southwire company.
  • The site was taken down after Southwire had filed a lawsuit against the operators in the Northern District of Georgia.

The operators of Maze ransomware are back to publicly shame the organizations who declined to ransom demands. This new tactic was first adopted in December 2019 by the operators to publish online a portion of the 120 GB of data stolen from Southwire company.

Where has the data been released?

In December 2019, the stolen data from Southwire was published on the http[:]//mazenews[.]top/ website which was hosted at an ISP in Ireland. The site was taken down after Southwire had filed a lawsuit against the operators in the Northern District of Georgia.

However, this did not stop the malicious plans of the threat actors and a new ‘mazenews’ website was back on the internet with the ISP hosted out of Singapore via Alibaba. This time, the attackers had released an additional 14.1 GB of stolen files from Southwire on the new website.

Which are the impacted companies?

The latest website backed by Maze operators lists the companies that have allegedly been compromised and did not cooperate with ransom demands.

On the site, the Maze states: "Represented here companies do not wish to cooperate with us and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!"

The victim companies listed so far are Southwire, RBC, THEONE, Vernay, Bakerwotring, BILTON, Grecco Auto, Groupe Igrec, Mitch Co International, Einhell, CONTINENTALNH3, and Groupe Europe Handling SAS. The city of Pensacola is also included in the list along with American tax advisory firm BST & Co. and laboratory testing facility MDL.

The operators have also published details of some stolen files belonging to Einhell, Fratelli Beretta, Crossroadsnet, MDL, BST & Co, SAXBST, and Auteuil Tour Eiffel.

Sodinokibi operators follow the same path

The operators behind the Sodinokibi ransomware for the first time have released files stolen from one of their victims because a ransom was not paid in time. The affected victim is Artech Information Systems and threat actors have posted links to its approximately 337MB of stolen data on a Russian hacker and malware forum.

Conclusion

This practice of using stolen data as leverage is not going to go away anytime soon and is only getting worse. Researchers expect that more ransomware operators will soon begin to utilize this technique as a part of their attacks.