Maze gang outs ransomware victims in shame campaign

A ransomware gang known as "Maze" has started publicly listing its ransomware victims and threatened to leak sensitive data in an effort to force victims to pay ransoms.

At the time of this post, the Maze gang's website listed eight organizations that it claims were victims of its ransomware attacks between Oct. 21 and Dec. 9.

"Represented here companies don't wish to cooperate with us, and trying to hide our successful attack on their resources," the Maze gang wrote on its site. "Wait for their databases and private papers here."

Kurt Baumgartner, principal security researcher on the global research and analysis team at Kaspersky Lab, said the Maze gang "are not performing anything entirely new by shaming their victims, but collecting their victims into one site and organizing this effort is more brazen than most before them."

"Usually, crooks like these avoid public efforts, simply because it helps to get them caught," Baumgartner told SearchSecurity. "This situation may be representative of the ongoing law enforcement challenges that we see in handling transnational organized crime with a cyber dimension."

While it has not been verified that the Maze gang has actually stolen data, each organization listed on the site lists the amount allegedly stolen -- ranging from 1.5 GB to 120 GB -- and links to documents meant to serve as proof that more sensitive data is coming.

In November, the Maze gang released nearly 700 MB of files allegedly stolen from Allied Universal in a ransomware attack. The threat actors contacted Lawrence Abrams, CEO of BleepingComputer, before leaking the data and claimed to have demanded 300 bitcoin (approximately $2.3 million at the time) in ransom. The Maze gang contacted Abrams again last week to claim responsibility for the ransomware attack on the city of Pensacola, Fla.

Collecting their victims into one site and organizing this effort is more brazen than most before them.

Pensacola is not listed on the Maze website; it's unclear if that means the city paid the reported $1 million ransom.

John Fokker, head of cyber investigations at McAfee, believes two-stage extortion campaigns is a new trend on the rise.

"In a case of ransomware, leverage comes from the fear of not having your files decrypted and losing precious data or going out of business. This leverage has been proven to be effective for ransomware criminals for many years now. The additional threat of disclosing sensitive data that was exfiltrated prior to the ransomware will inevitably put more pressure on the victim to pay, especially if the victim wasn't planning on disclosing the ransomware attack," Fokker told SearchSecurity. "Threatening to publicly disclose sensitive data is a very powerful tool but it can get blunt very quickly. If it isn't done discretely and public disclosure for a victim is unavoidable, the threat loses its leverage."

Adam Kujawa, director of Malwarebytes Labs, agreed that this could be a new trend in ransomware attacks.

"By releasing the data that was ransomed, the attackers are basically stealing everything in your house and then leaving it on the side of the freeway for anyone to do whatever with it, that data is no longer secure or maybe worth securing any longer," Kujawa told SearchSecurity. "This has such a larger impact than just ransoming the files and now that Maze is doing it, we'll likely see it become business as usual for ransom criminals in the coming year."