Maze Promotes Other Gang's Stolen Data On Its Darknet SiteIn Sign of Collaboration, Maze Hosting Data From Lockbit Gang, IBM Rearchers Say
The Maze ransomware gang is hosting and promoting data stolen by other ransomware operators on its "Maze News" website, according to IBM researchers, who are concerned this could be a sign of growing collaboration among cybercrime groups.
See Also: 2020 Global Threat Report
IBM's X-Force IRIS team, which has been tracking Maze, tells Information Security Media Group that the ransomware syndicate may now be putting together a consortium of like-minded ransomware actors - a move that could have serious repercussions for victims.
"We are tracking new information that suggests the Maze crew is indeed working with other ransomware gangs to post their stolen information to the Maze 'name and shame' website and also possibly to share knowledge and experience," says Ole Villadsen, cyberthreat hunt analyst for IBM X-Force IRIS.
Evidence of Collaboration
The first evidence of this activity appeared on June 2 when Maze posted stolen data from the international architectural firm SmithGroup, indicating it was provided by Lockbit - a ransomware gang that's known to target larger enterprises, Villadesen reports (see: 10 Ransomware Strains Being Used in Advanced Attacks).
Last year, Maze led a major transformation of how ransomware gangs function when it began exfiltrating data from its victims and then threatened to make the data public if the ransom was not paid. Many other gangs quickly adopted the same extortion tactic.
James McQuiggan, security awareness advocate at KnowBe4, says the collaboration among Maze and other players may be tied to the need to adjust to the continually changing cybersecurity landscape.
"To have these groups come together with different tactics, techniques and procedures can certainly make them a more influential faction," McQuiggan says. "I'm not aware of other criminal groups coming together, but it's known they communicate via secure, encrypted channels to share information."
If Maze's action, is, indeed, a first step of what could become a broader collaborative effort among ransomware gangs, McQuiggan says, it could lead to much more substantial threats.
"Think of it as a help desk: There are level 1, 2 and 3 experts," he suggests. "A similar approach may occur with the merging of criminal groups. One group has the phishing expertise to create intelligent and crafty emails. A second group has the zero days. And a third has exploits not yet discovered."
Maze's willingness to post stolen data on behalf of other ransomware groups makes it easier for them to give extortion a try, Villadsen says.
"This development means that other ransomware gangs that are not already stealing and threatening to expose victim data unless they pay the ransom may now have an opportunity to do so on the Maze site, as well as gain knowledge and experience on this tactic from the Maze operators," he adds.
It's not yet clear how Maze is charging others to post stolen data on its site.
"We do not have any specific information on what Maze is receiving for providing this service to other groups, but we strongly suspect that they are getting a percentage of any payment that the victims make in response to the data being posted on the Maze site," Villadsen says.
In another indicator of the evolution of ransomware gang activity, the operators behind REvil - also known as Sodinokibi - recently announced that they had created an auction site where data from their various attacks is being offered for sale to the highest bidder (see: REvil Ransomware Gang Auctioning Off Stolen Data).