Last week, the Federal Bureau of Investigation (FBI) issued a flash alert warning private companies in the United States about the threat of attacks involving Maze ransomware. The warning came just a few days after the FBI issued an alert about two other ransomware variants, LockerGoga and MegaCortex.
The Maze ransomware TLP: Green warning is not intended for public distribution as it provides technical details about the attacks and indicators of compromise which can be used by private firms to prevent attacks. If published in the public domain, it could aid the attackers.
In the alert, victims of Maze ransomware attacks were urged to share information with the FBI as soon as possible to help its agents trace the attackers and bring them to justice.
Maze ransomware was first identified in early 2019, but it was not until November 2019 when the first attacks hit companies in the United States. Those attacks have been increasing in recent weeks.
When network access is gained, data is exfiltrated prior to file encryption. A ransom demand is then issued specific to the organization. The attackers claim they will supply the keys to decrypt files and will destroy all data they stole in the attack. The attackers warn their victims that if payment is not made before the deadline is reached, they will start publishing the stolen data.
Maze ransomware was used in a recent attack on the City of Pensacola. When the ransom was not paid the attackers started publishing the stolen data. In December, the Carrollton, GA-based wire and cabling firm, Southwire, was attacked with Maze ransomware. An 850 BTC ($6 million) ransom demand was issued for the keys to decrypt files. The attackers said they had stolen data and threatened to publish it if the ransom was not paid. When no payment was received, the attackers created a website with an Irish ISP and started publishing the data.
Southwire successfully obtained a court injunction in Ireland forcing the ISP to take down the website that was being used by the Maze gang to publish its data. That website is now offline. Southwire also filed a lawsuit against the hackers in federal court in Georgia. Southwire alleges violations of the U.S. Computer Fraud and Abuse Act and is seeking injunctive relief and damages. Since the attackers are unknown, the lawsuit was filed against ‘John Doe.’
According to CyberScoop, which obtained a copy of the FBI alert, the threat actors use a variety of methods to attack businesses, including malicious cryptocurrency websites, malspam and phishing campaigns impersonating government agencies and security vendors, and ransomware downloads via exploit kits such as Fallout.
The FBI has urged private companies in the United States to heed its warning and take steps to strengthen their defenses and address vulnerabilities. In the event of an attack, the FBI does not recommend paying the ransom as there is no guarantee that valid keys to decrypt data will be supplied or that the stolen data will be destroyed.