‘Maze’ ransomware threatens data exposure unless $6m ransom paid

What’s the most effective way to fight back against a large ransomware attack?

Normally, the answer would be technical or organisational, but a new type of ransomware called Maze seems to have stirred up a very different response in one of its recent victims – bring in the lawyers and try to sue the gang behind it.

The victim this time was US cable and wire manufacturer Southwire, which last week filed a civil suit against Maze’s mysterious makers in Georgia Federal court.

This mentions a big attack involving Maze, which we know from the company’s Twitter account happened on 11 December 2019.

Given that the attackers are unknown – referred to only as “John Doe” in legal filings – this might sound like a fool’s errand. But it seems it is the way the ‘Maze Crew’ attempted to extort Southwire that led to such unorthodox tactics.

According to Bleeping Computer, the sum demanded from Southwire was 850 Bitcoins, equivalent to around $6 million.

That sounds like a lot to supply some encryption keys to unlock scrambled data, but the demand was backed by a second and more sinister threat – if the sum wasn’t paid the data would be released publicly.

That ransomware attackers can steal as well as encrypt data isn’t a new phenomenon but the possibility that sensitive data might be revealed to the world is potentially more damaging than any short-term disruption caused by the malware.

And yet, despite the seriousness of this threat, it seems that Southwire declined to pay.

Circling the wagons

To understand this defiance, consider other recent Maze incidents in which the Maze gang released samples of the stolen data to media, and set up a special website to publish it.

Southwire would have known this was likely to happen because the attackers reportedly name-checked that they’d released the data from another victim as part of their ransom pitch.

The same website was eventually used to publish some of Southwire’s data, with further releases promised.

As Southwire’s incident website explains, at that point the company decided to go after the website, gaining a court order in Ireland on 31 December to have the domain and the data on it taken down.

Will this deter Maze from releasing he data elsewhere? Probably not. But the mere fact that three sizeable victims have dared them to release breached data isn’t exactly a great advert for the ransomware’s effectiveness.

It’s remotely possible that the Maze gang left clues as to their origins when they registered the domain, hence the involvement of lawyers that might unmask their identities.

FBI warning

It’s since emerged that with less-than-ideal timing the FBI issued a non-public warning to US businesses on 23 December 2019 warning that the Maze gang was on the prowl.

This does at least offer important information on the ways Maze infects targets using boobytrapped macros inside Word documents pretending to come from governments, including the use of exploits against flaws in Internet Explorer (CVE-2018-8174) and Adobe Flash (CVE-2018-15982, CVE-2018-4878) where available patches haven’t been applied.

The FBI advises not to pay Maze’s ransoms because doing so would not guarantee the recovery of data, nor the destruction of stolen data.

Whether that’s correct or not, the die has been cast – just when you think ransomware crooks have worn out every trick they use to get paid, they hit on a new one. Data exposure driven by ransomware could be the next big wave.