A US company targeted by ransomware has taken its fight to the Irish courts to have confidential data stolen by the same attackers removed from the web.
Southwire was struck by the Maze variant in December last year, with attackers demanding over $6m in ransom — not only for the decryption key, but also to regain company data that they exfiltrated.
However, the attackers reportedly grew frustrated with the firm’s refusal to pay up, and started publishing the data on a site called mazenews[dot]top.
That’s when the firm, which is one of America’s largest manufacturers of wire and cabling, enlisted its lawyers.
According to local reports, the company has secured an injunction in the Irish High Court against the registrants of the IP address linked to the “mazenews” site.
They’re said to work for a now-dissolved company called World Hosting Farm Limited (WHFL), with addresses in Cork and Dublin. The owner and director of the firm is Artur Grabowski of Stupsk, in Poland, according to the court documents.
Grabowski and the others named in connection with the IP address were all contacted by Southwire but failed to respond, hence the temporary injunction. It apparently requires the removal of all confidential information from the site and that no more material is published online.
Southwire is also said to have asked the judge to prevent media outlets from publishing its name in reporting of the court case, arguing that it would help the ransomware authors. However, Ms Justice Mary Rose Gearty refused.
Data theft is becoming increasingly common in ransomware attacks, raising the stakes for victim organizations.
Aside from Maze, strains such as Zeppelin, Snatch, Sodinokibi and Merry Christmas have all been observed exfiltrating sensitive data from targeted networks. The tactic is designed to force victim organizations to pay up to avoid their data being published, rather than simply ignore the ransom demands and restore from backup.