Maze: the ransomware that introduced an extra twist

SOURCE: Malwarebytes
Posted: May 29, 2020 by Pieter Arntz
Last updated: May 28, 2020

An extra way to create leverage against victims of ransomware has been introduced by the developers of the Maze ransomware. If the victim is not convinced that she should pay the criminals because her files are encrypted, there could be an extra method of extortion. Over time, more organizations have found ways to keep safe copies of their important files or use some kind of rollback technology to restore their systems to the state they were in before the attack.

To have some leverage over these organizations, the ransomware attackers steal data from the infiltrated system while they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay. Depending on the kind of data, this can be a rather compelling reason to give in.

Maze introduces leaked data

In the last quarter of 2019, Maze’s developers introduced this new extortion method. And, as if ransomware alone wasn’t bad enough, since the introduction of this methodology, many other ransomware peddlers have started to adopt it. The most well-known ransomware families besides Maze that use data exfiltration as a side-dish for ransomware are Clop, Sodinokibi, and DoppelPaymer.

The dubious honor of being noted as the first victim went to Allied Universal, a California-based security services firm. Allied Universal saw 700MB of stolen data being dumped after they refused to meet the ransom demand set by Maze. Nowadays, most of the ransomware gangs involved in this double featured attack have dedicated websites where they threaten to publish the data stolen from victims that are reluctant to pay up.