Cyber-criminals behind the Maze ransomware attacks have claimed several more scalps over the past few days, including five law firms and a French industrial giant, all of which are thought to have had sensitive internal data stolen.
Brett Callow, a threat analyst with security vendor Emisoft, alerted Infosecurity to the developments over the weekend. The Maze group has a dedicated website where it first names victim organizations and then releases stolen data if they refuse to pay the ransom.
“This makes sense. The more data they publish and the more sensitive that data is, the less incentive an organization has to pay to prevent the remaining data being published,” said Callow.
“It's the equivalent of a kidnapper sending a pinky finger. If the organization still doesn’t pay, the remaining data is published, sometimes on a staggered basis.”
That’s potentially bad news for the latest firms to fall victim to Maze ransomware. At present, only two of the law firms have had sensitive customer data published but, ominously for the other victims, the group promises that the “proofs” are coming soon.
The French firm struck by Maze, Bouygues Construction, published a brief statement on Friday admitting a “ransomware-type virus” had been detected on its network the day before.
However, there’s no word from the firm so far on whether key data has also been lifted, as alleged by the Maze hackers.
“As a precautionary measure, information systems have been shut down to prevent any propagation,” the statement read.
“Our teams are currently fully focused on returning to normal as quickly as possible, with the support of experts. Installations are progressively being put back into service after being tested. Operational activity on our construction sites has not been disrupted to date.”
Maze has hit a wide range of firms in the past, including the US City of Pensacola, cabling giant Southwire and security company Allied Universal.
It’s not unusual for the group to charge its victims twice, $1m for the decryption key and a further $1m for ‘deletion’ of the stolen data. There’s the added jeopardy that, if they’re not paid, stolen data will be leaked onto Russian hacker forums, as has happened in the past.