In May, 2019,  Lawrence Abrams of Bleeping Computer reported on threat actors using Maze ransomware, a then-new variant of ChaCha ransomware.  As reported by Abrams,  Jérôme Segura had found that the ransomware was being dropped by the Fallout exploit kit. In October, researchers also noted that it was being dropped using the Spelevo exploit kit. Since that time, the number of reports involving Maze ransomware has mushroomed. And whereas the majority of ransomware victims in the past few years typically reported that their files were locked but they had no evidence that files had actually been accessed or exfiltrated, MazeTeam is very clear that they have exfiltrated data and will dump it all. To that end, they have created web sites where they list the names of recalcitrant victims and posts samples of the data they have exfiltrated. If the victims still don’t pay up, they proceed to dump more data. One of their victims, Southwire, did not pay the reported $6 million ransom, and took the bold step of suing the attackers in federal court after also obtaining an emergency injunction from Ireland’s High Court to compel World Hosting Farm Limited to take down their data from Maze Team’s site.  As Southwire explained to its customers: On December 31, utilizing outside counsel in the U.S. and in Ireland, Southwire was able to secure an emergency injunction from the Irish High Court. The injunction requires the defendants to remove all data relating to Southwire and its customers from its public website. Furthermore, the court’s order compels the defendants to hand over all data taken from the company and prohibits them from publishing any further material. Independently, Southwire was able to verify that the website was taken down within 24 hours of the judge issuing the order. You can read the federal complaint here (it appears redacted that way in the docket). Not surprisingly, Maze Team simply registered two domains, hosted them on, and proceeded with their plan, dumping 14 GB more of Southwire’s data. A notice of the new data availability was posted on a Russian forum, with the data itself being uploaded to two well-known file-sharing sites.  As of today’s date, the data still appears to be available for download from those sites.  As the attackers explained to BleepingComputer, the 14 GB dump was not in retaliation for Southwire’s litigation. They were simply adhering to their plan to keep dumping a percentage of the data every two weeks if Southwire didn’t negotiate with them. In any event, as of the time of this post’s publication, both of Maze Team’s sites have been unreachable for more than 24 hours, and they inform this site that because their sites are under constant attack, they are considering their next location move. But using screenshots of files that were on their site, you can see how they attempted to name and shame one victim, made numerous attempts to reach Crossroadsnet and Crossroads Technology to discuss the matter, but they failed to respond to all inquiries, despite the fact that it was clear that they had received the inquiries because their staff started looking me up on LinkedIn. Because they haven’t responded, does not know what services the business provided to these individuals, most of whom appear to be senior citizens. Nor does know whether has notified any of them of the breach. will update this post when more details are obtained. Commenting on their failure to respond to inquiries or to them, Maze Team wrote: If people cannot give us even 2 minutes to talk, it speaks either of their snobbery or their stupidity, what lesson can be learned? All these people, I’m sure care very much about their security, but do not care about the security of their companies in the world, and we tell them, even in such a tough way, that if someone trusts your company with their data, then your company should have a conscience and responsibility to do the job well, putting their customer’s data above their laziness and greed. And on that last point, we agree. Health-related data and entities are not immune While the sample data dump is concerning, had been even more concerned to see a listing for MDLab, a diagnostic lab that is covered by HIPAA, on Maze Team’s website. By the fact that it was listed, I assumed that they had refused to pay the extortion demand, and I reached out to them to discuss the incident. According to the news site, MDLab’s data had been locked up on December 2. Their entry on Maze Team’s site included a few files, but none containing personal or protected health information. MDLab ignored repeated inquiries from this site. But as it turned out, they may not have refused to pay the ransom. In a statement to this site, Maze Team claimed that MDLab had tried to acquire BTC to pay them, but Coveware didn’t help them for some reason, and MDLab may have given up trying. reached out to Coveware to ask them to explain what happened. Their CEO, Bill Siegel, responded: Per your inquiry, we have not had any recent interaction with Maze group, and don’t have interactions with these groups outside of when we are negotiating on a clients behalf (which we would keep confidential). As a policy, if a threat actor tries to contact us to help a company, or if a company tells us that an actor referred us, we decline to assist even if the company is genuine and needs our help. Any benefit from a criminal’s referral is wrong in our book, and our policy is designed to ensure there is no ambiguity. We realize the impact our policy may have, and we certainly feel for these victims. Whenever possible we try an point these victims to free resources or alternative service providers that may be able to assist. Coveware’s policy makes sense from an ethical perspective, and serves […]

Categories: security