The Maze ransomware ring has taken extortion to new heights by publicly posting breached data on the Internet—and threatening full dumps of stolen data if the ring’s “customers” don’t pay for their files to be unencrypted. But the group appears to be making one exception: the City of Pensacola, which was hit by Maze ransomware in December.
On the group’s website, the administrator of Maze’s ransomware operations posted:
We are going to make a gift to City of Pensacola: we will not publish leaked private data, but we publish the list of leak data and hosts to proof [sic], that we did it, we really hacked City of Pensacola.
Just before Christmas, the Maze operators had posted 2GB of data from the city’s systems, claiming it was only 10 percent of what had been stolen from systems before the attackers launched their ransomware attack. But the files were then removed, with only directory data, computer names, and IP addresses left on the site as proof of compromise. Based on the Maze site, 28 servers were hit by the attack.
Others have not been so lucky. The Italian foods company Fratelli Beretta saw all the data exfiltrated from 53 systems (a total of 3GB) posted online by Maze. And more recent victims have had smaller dumps posted. Stockdale Radiology, a radiology clinic in Bakersfield, California, saw screenshots of affected systems and data from the clinic’s fax server posted—including patient data transmitted from another MRI clinic. Ars reached out to Stockdale Radiology for comment but got no response.
About 25 other victims are listed on Maze’s site, with smaller “proof” data sets posted that include customer information. Victims include:
- Busch’s Inc., a grocery market chain in Michigan
- BST & Co., a certified public accountancy firm in Albany
- Lakeland Community College in Kirkland, Ohio
- The social media and public relations unit of Orlando-based company Massey Services
According to Emsisoft threat analyst Brett Callow, one recent dump of a Canadian company’s data included employee “names, home addresses, social insurance numbers, tax forms, earnings details, health insurance numbers, banking information, drug test results, etc.” The company failed to notify employees of the breach.
None of these breaches have been reported publicly by their victims. “The lack of disclosure obviously means that customers/clients/vendors/partners do not know that their data is now in the hands of cybercriminals and can be downloaded by anybody with an Internet connection,” Callow told Ars. “And that means they do not know that they should set up credit monitoring, notify their financial institution, be on the lookout for scams or spear phishing attempts.”
The Maze crew is not the only ransomware operation now using stolen data as additional leverage to get victims to pay up. The REvil/Sodinokibi ransomware ring has also threatened to reveal data of victims who don’t pay, including the travelers’ financial service provider Travelex. And other attackers may also be stealing data and using it in much more subtle ways to extort their victims.