As ransomware continues to spread like wildfire through the U.S., one cybercrime gang has found a new way to convince their victims to cough up the ransom.
This week, the gang behind the Maze ransomware strain launched a public website listing victims who have yet to pay up, threatening that if no payment is received they will publish the data stolen from those companies for all to see.
Criminals have long advertised stolen data on underground criminal forums on the dark web, but this latest development, first reported by independent security researcher Brian Krebs, adds an insidious twist to the criminal’s arsenal.
“Represented here companies don’t wish to cooperate with us, and trying to hide our successful attack on their resources,” the site explains in broken English. “Wait for their databases and private papers here. Follow the news!”
To back up their claims, the hackers have published the date of the attack and a number of files stolen in the hack, including Microsoft Office, text and PDF files. They also list the total volume of files allegedly exfiltrated from victims (measured in Gigabytes), and the IP addresses and machine names of the servers infected by the Maze ransomware.
There are currently eight companies listed on the website, and among them is Southwire, North America's largest wire and cable manufacturer, which was hit with a ransomware attack last week.
The gang behind the Maze ransomware claimed responsibility, and in a ransom note said that company data had been stolen and encrypted, demanding 850 bitcoins — currently worth around $6.1 million — for its safe return.
The criminals added that failure to pay will result in the publication of the stolen data.
Also last week, the Maze ransomware gang claimed credit for an attack on the City of Pensacola in Florida, and demanded a $1 million ransom. And, it claimed credit for an attack on security staffing firm Allied Universal and demanded $2.3 million to restore Allied Universal’s network.
The Maze ransomware was first discovered by Malwarebytes security researcher Jérôme Segura in May, and the malware strain has become increasingly active in recent months.
Criminals typically don’t care which computers their ransomware attacks, and demand a set sum regardless of whether the victim is an individual, a large corporation, or government agency. The Maze ransomware, however, alters the amount of money it demands from victims depending on the type of computer it infects, whether it’s a home computer, server, or workstation.
The threat of ransomware has exploded in the last year, with a recent report from cybersecurity firm Emsisoft claiming that in the U.S. alone, 948 government agencies, educational establishments, and healthcare providers were infected, at a potential cost in excess of $7.5 billion.
Last week, New Orleans became the latest victim, with the city declaring a state of emergency after its network was infected. Separately, a Louisiana parish sheriff’s office was forced to operate its booking system and other processes on paper after it was hit with a ransomware attack last weekend.
A report issued by the State Auditor of Mississippi in October 2019 stated there was a “disregard for cybersecurity in state government” claiming that officials are simply ignoring state and federal cybersecurity law, resulting in major vulnerabilities across government agencies.
“Governments are duct-taping their doors rather than putting proper locks on them,” Brett Callow, a spokesperson for Emsisoft, told VICE News. “Ransomware groups are now not only encrypting data they’re also stealing it. If governments do not do more protect their networks, there is a very real chance that their data — and the public’s data — may end up in the hands of cybercriminals.”
Cover: 04 December 2019, Hessen, Darmstadt: IT security scientists are training in the "Cyber Range" room in the new "Athene" cyber security centre how infiltrated blackmail programs ("Ransomware") can be rendered harmless. Photo by: Frank Rumpenhorst/picture-alliance/dpa/AP Images