Share this article on:
The operators of Maze ransomware are following through on their threats to publish stolen data if victims do not pay the ransoms. In December, the Carrollton, GA-based wire and cable manufacturer Southwire refused to pay a 200 BTC ransom ($1,664,320) and the threat actors went ahead and published some of the stolen data. Southwire filed a lawsuit in the Northern District of Georgia against the Maze team and the ISP hosting the Maze Team’s website. The case was won, and the website was taken offline; however, the website was back online with a different hosting provider a few days later.
Listed on the webpage are the names of the companies that have been attacked and refused to pay the ransom demand, along with some of the data stolen in the attacks.
One of those companies is New Jersey-based Medical Diagnostic Laboratories (MDLab). According to the Maze Team, MD Lab was attacked on December 2, 2019. MD Lab made contact with the Maze team, but negotiations stalled, and no ransom was paid.
According the Maze website, 231 workstations were encrypted in the attack. When MD Lab refused to negotiate, the Maze team went ahead and published 9.5GB of the company’s private research data, including immunology research. The Maze Team then advertised the stolen data on a hacking forum in an attempt to restart negotiations with the company. According to Bleeping Computer, 100GB of data was stolen in the attack. The Maze team have demanded a ransom payment of 100 BTC ($832,880) for the keys to unlock the encrypted files and a further 100 BTC payment to destroy the stolen data.
While threats have been issued in the past to publish data stolen in ransomware attacks, there have been no confirmed cases of attackers following through on their threats until the Maze gang started publishing data in December 2019. Currently, 29 companies are listed on the website as not having paid, along with samples of data stolen in the attacks.
Earlier this month, The Center for Facial Restoration, Inc. announced it had suffered a similar fate following a November 8, 2019 ransomware attack. The attackers stole patient data before deploying ransomware and issued ransom demands to the healthcare provider as well as 10-20 patients. Photographs and personal information of up to 3,500 are believed to have been stolen in the attack.
In order to steal data, access to the network must first be gained and the attackers then need to search for sensitive data and exfiltrate it without being detected. Since these types of attacks require more skill to pull off than a standard ransomware attack, they are likely to remain relatively limited. That said, these data theft incidents are becoming more common. Several ransomware operators, including the Sodinokibi and Nemty gangs, have now adopted this tactic and have been threatening to publish or sell stolen data to pressure victims into paying.