The conventional wisdom regarding ransomware attacks has been to be prepared with adequate system backups and not to pay the ransom. After all, when dealing with criminals there is no guarantee that they will return your data. Well, many must have heeded that advice because cyber criminals have just upped the ante; enter Maze Ransomware!
Here are your fast 5 things to know about Maze Ransomware:
1. What is it?
Maze Ransomware is a new strain of ransomware with a twist, pay up or your data goes up…on a public website. According to Trend Micro, the FBI recently released an advisory to U.S. companies stating that the cyber criminals, known as Maze, used multiple methods of entering victim networks, including fake cryptocurrency sites and malspam (malware delivered via email). Trend has posted the indicators of compromise for Maze on its site, referenced below.
2. What information is released as a result of Maze Ransomware?
KrebsOnSecurity reported the following data related to the victim companies on the Maze’s public shaming site:
- Date of infection.
- A sampling of actual stolen files of various types, such as Microsoft Office, text, and pdf.
- Total volume of exfiltrated files, in gigabytes.
- IP addresses of the affected computers.
Bleepingcomputer reported as of January 3 the shaming site, hosted in Ireland, had been removed. However, it seems reasonable to expect it will pop up again somewhere, sometime.
3. Is a Maze Ransomware considered a data breach?
Use your best judgement depending on the specific circumstances, but here’s an interesting take on this question: according to Lawrence Abrams on Bleepingcomupter, “Ransomware attacks are now data breaches….criminals state that they are familiar with internal company secrets after reading the company’s files. Even though this should be considered a data breach, many ransomware victims have swept it under the run in hopes that no one would find out.” A position that it is not a breach would become difficult to maintain when company files are posted on a public site.
4. How prevalent is Maze Ransomware?
Bleepingcomputer, who reports having seen the FBI advisory, states Maze has been operating since early 2019, but was first observed in the U.S. in November 2019. Among the reported victims are the City of Pensacola and Southwire, a cable and wire manufacturer. In an interesting turn of events, Southwire has filed a lawsuit in Georgia, against the Maze cybercriminals who were named as “John Doe” as their identity is, of course, still unknown.
5. How can we protect against this threat?
As always, basic cyber hygiene is the best bet. Trend Micro recommends the following measures:
- Keep your systems updated with the latest patches and versions,
- Use multi-factor authentication,
- Create an effective backup strategy by following the 3-2-1 rule (create at least 3 copies of the data, in two different storage formats and have at least one offsite),
- Use strong passwords throughout the network,
- Segment your network using a risk based approach,
- Train users on ransomware, and
- Monitor your network for suspicious activity.
Additionally, we recommend practicing your Incident Response Plan with various ransomware scenarios. If you’re interested in assistance with this, please contact us at support@bedelsecurity.com or 833-297-7681.
If you do find yourself up against Maze Ransomware, the FBI and Trend still recommend against paying the ransom pointing back to the conventional wisdom regarding dealing with criminals mentioned earlier.
Sources:
https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/