A week ago, the Federal Bureau of Investigation (FBI) released a flash alert cautioning private businesses in the United States regarding the possibility of Maze ransomware attacks. The alert came after several days from the time the FBI gave an advisory regarding the two ransomware variants, MegaCortex and LockerGoga.
The alert about Maze ransomware TLP: Green is not supposed to be publicly distributed as it presents technical information regarding the attacks and signs of compromise that private companies may use to deter attacks. If made known to the public, it can benefit the threat actors.
The alert urges Maze ransomware attack victims to inform the FBI immediately to help track the attackers and catch them.
The initial discovery of the Maze ransomware was in early 2019, however, the first attack on U.S. companies wasn’t until November 2019. In recent weeks, the attacks have increased.
After gaining network access, data exfiltration happens before file encryption. The attacker then issues a ransom demand to the company claiming that they will give the decryption keys upon payment and will wipe out all stolen data. If the victims do not pay before the deadline, the attackers will publish the stolen information.
A recent attack on Pensacola City used Maze ransomware. When the victims did not pay the ransom, the attackers published the stolen information. In December, Southwire in Carrollton, GA, a wire and cabling company, had a Maze ransomware attack. The attackers asked for 850 BTC ($6 million) as a ransom payment in exchange for the file decryption keys. The attackers claimed that they would publish the stolen data if the ransom was not paid. Because the payment was not made, the attackers built a website using an Irish ISP and published the stolen data.
Southwire was able to obtain a court injunction in Ireland and forced the ISP to shut down the website used by the Maze attacker to publish its information. Southwire additionally filed a legal case against the hackers in Georgia’s federal court. Southwire claims the attackers violated the U.S. Computer Fraud and Abuse Act and is pursuing injunctive relief and damages. The case was filed against ‘John Doe’ because the attackers are unidentified.
CyberScoop got a copy of the FBI warning, which mentioned that the threat actors employ different strategies to attack companies, such as malicious cryptocurrency sites, malspam and phishing campaigns faking government institutions and security providers, and ransomware downloads through exploit kits like Fallout.
The FBI advised private businesses in the U.S. to pay attention to its warning and take action to reinforce their defenses and fix vulnerabilities. In case of an attack, the FBI advises against paying the ransom since there is no assurance that the attacker will give valid decryption keys or will destroy the stolen data.