Security insights from ThreatLocker
A new strain of ransomware known as Maze is disrupting organizations around the world.
Maze occurs when a cybercriminal steals data before encrypting it and threatens to publicly release the stolen data if the organization does not pay. Until the ransom is paid, the hackers publish some of the data as proof and continue to release the information over time. Once a payment has been received, the group removes the data from its website.
In addition to encrypting files like most ransomware, it also exfiltrates the stolen data to the cyber attackers’ server. Therefore, backing up data is not enough for organizations to mitigate the threat.
While Maze has only been around for the past year, it has wreaked havoc on many businesses.
At the end of 2019, the FBI issued a warning to the U.S and called for vigilance to combat these attacks shortly after the city of Pensacola was hit.
The FBI has also warned that Maze criminals have increased extortion efforts in recent months by using “multiple methods for intrusion, including the creation of malicious look-a-like cryptocurrency sites and malspam campaigns impersonating government agencies and well-known security vendors.”
This month, Cognizant, one of the largest IT Services and consulting companies, has confirmed it was hit by a Maze ransomware attack.
On April 18th, Cognizant released the following statement:
"Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack.
Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident. Cognizant has also engaged with the appropriate law enforcement authorities.
We are in ongoing communication with our clients and have provided them with Indicators of Compromise (IOCs) and other technical information of a defensive nature."
It is highly likely that malware was present on Cognizant’s network for weeks, if not months while harvesting its data all along.
Maze is more than just a ransomware attack, it is a data breach that has already affected governments, law firms, healthcare providers, manufacturers, medical research companies, healthcare providers and more.
Maze claims they encrypted Chubb’s network and the attack is currently under investigation.
Researchers have discovered unpatched vulnerabilities at the firm which could have provided a route for the ransomware attack.
Chubb stated, "We are currently investigating a computer security incident that may involve unauthorized access to data held by a third-party service provider.”
Two unnamed law firms have been hit with Maze ransomware in Manitoba, Canada.
The Law Society of Manitoba released the following statement:
“As a result of the virus attack, they have no access to email, Word, their accounting software, or any of their backups, including cloud backups.
Everything is tied up by MAZE and they have been asked to pay an enormous ransom to regain access to any of their work. The firms are working with IT professionals and cyber insurers and still are not sure how the virus took hold.
We suspect that someone clicked on a link or an attachment in an email that was infected with a virus which in turn infected the firms’ entire system. At this point, we do not know when or if they will ever regain complete access to their kidnapped data.”
Henning Harders was hit with a Maze attack on March 15th.
The company refused to pay the ransom, and as a result, hackers have posted the company’s stolen data on the Dark Web. The company’s data is now being used to send spear-phishing emails.
Henning Harders released the following statement:
“On Sunday 15 March we became aware of unusual activity on our systems which appears to be the result of a targeted and organised attack. We subsequently became aware that the cyber attacker has started to publish some client and employee information on an online forum controlled by it.
All our customers and employees have been notified that some data has now been made public.”
Hackers stole the oil firm’s entire database containing over 500MB of confidential documents related to investment plans, financial details, and other sensitive information, according to Under the Breach.
The Maze group posted the stolen data online on April 1st.
According to Bleeping Computer, Maze published almost 700 MB worth of data stolen from the staffing firm in 2019 after Allied Universal missed a ransom payment deadline.
It is evident that the Maze group is not holding back from targeting companies and releasing their data. Therefore, it is critical that businesses start taking these threats more seriously by implementing the latest technology to best protect their network.
If you are interested in learning more about how ThreatLocker can help, schedule a call with a support specialist today.