Cybercrime , Fraud Management & Cybercrime , Legislation & Litigation

Maze Ransomware Victim Sues Anonymous Attackers

Southwire Also Obtains Irish Court Injunction, Forcing Blackmail Site Offline
Maze Ransomware Victim Sues Anonymous Attackers
Photograph of a Maze ransom note displayed on a crypto-locked Southwire system (Source: court documents)

A Georgia manufacturer that was hit by the Maze ransomware gang is fighting back by suing its attackers even though their true identity remains unknown.

See Also: Live Webinar | How to Identify & Address Risk with Attack Simulation

On Tuesday, Southwire, a cable and wire manufacturer based in Carrollton, Georgia, filed a civil lawsuit against its "John Doe" Maze gang attacker or attackers in Georgia federal court.

At the same time, the company obtained a court injunction in Ireland to force offline a website - being hosted by an Irish service provider - that was being used by the Maze gang to try to name and shame victims and also dump data the gang stole from victims before leaving their systems crypto-locked.

Southwire Company v. John Doe (partially redacted)

News of the U.S. lawsuit was first reported by Bleeping Computer. News of Southwire's successful attempt to obtain an injunction in Irish court was first reported by TheJournal.ie.

Southwire, which has $6 billion in annual revenue and more than 8,000 employees worldwide, was hit by Maze ransomware on Dec. 9, disrupting its business. At the time, Bleeping Computer reported that the Maze gang had demanded 850 bitcoins in ransom ransomware, then worth $6.1 million (see: Georgia Wire Manufacturer Struck by Ransomware).

The company has refused to pay the ransom and instead responded by filing a lawsuit against its blackmailers.

Southwire seeks "compensatory damages and injunctive relief" via its lawsuit, which alleges that the Maze gang violated the U.S. Computer Fraud and Abuse Act by accessing its systems and disrupting them and dumping stolen data online.

"Plaintiff has already been irreparably harmed by defendant's illegal misappropriation and public dissemination of Southwire's data," the lawsuit states. "Additionally, news of the incident and the defendant's exploits has been spread to various media outlets by the defendant in an effort to harm Southwire's reputation and alarm its customers, vendors, and employees."

But the use of "John Doe" in the lawsuit reflects Southwire not knowing the true name of the defendant or defendants.

Blackmail Attempt

After hitting Southwire, the Maze gang threatened to dump stolen data unless the organization paid the $6.1 million ransom in bitcoins (see: Maze Ransomware Gang Names More Alleged Victims).

"We have also downloaded a lot of data from your network, so in case of not paying this data will be released," the gang warned in its ransom note, a copy of which is labeled "exhibit A" and included with Southwire's U.S. lawsuit. "If you don't believe we have any data, you can contact us and ask a proof. Also you can Google 'Allied Universal Maze Ransomware.'"

The gang's threat referred to its having leaked 700 MB of data it stole from Allied Universal, a California-based security services firm, in November. The gang told Bleeping Computer at that time that it had stolen 5 GB and planned to send the rest to WikiLeaks if the company didn't pay 300 bitcoins (see: Ransomware Attackers Leak Stolen Data).

The Maze ransomware gang has also taken credit for infecting the city of Pensacola, Florida, among many other victims. After Pensacola officials refused to pay a ransom, the gang leaked 2 GB of what it claimed was 33.2 GB of data it had stolen from the city.

FBI: Maze 'Flash' Alert

Last week, the FBI issued a "flash" alert to private U.S. firms, warning about the continuing threat posed by ransomware, reported CyberScoop, which obtained a copy of the alert.

"From its initial observation, Maze used multiple methods for intrusion, including the creation of malicious look-a-like cryptocurrency sites and malspam campaigns impersonating government agencies and well-known security vendors," the advisory states. "In a late November 2019 attack, Maze actors threatened to publicly release confidential and sensitive files from a U.S.-based victim in an effort to ensure ransom payment."

While the bureau doesn't name the victim, the details match what happened to Allied Universal.

Maze Gang Leaks Southwire Data

The Southwire lawsuit notes: "After plaintiff did not pay the ransom demanded by defendant, a portion of plaintiff's stolen confidential and sensitive information was publicly posted to [redacted] ... Defendant has threatened to expose further confidential and sensitive information to the public if the ransom payment is not made in the coming days."

Excerpt from Southwire's lawsuit

The cat-and-mouse game has continued to escalate, with the manufacturer suing its attackers.

"This is a bold but risky move by Southwire," Emsisoft threat analyst Brett Callow tells Bleeping Computer. "It could push the Maze Group into releasing all of the company's data, while the website takedown could result in a game of whack-a-mole in which the data is published in other, possibly more visible, locations."

Victim Obtains Injunction in Ireland

On Thursday, Southwire obtained an injunction in Irish court forcing offline a domain being used by the Maze gang. The domain name was first registered on Dec. 9 with Namecheap, a domain name registrar based in Los Angeles, and was being hosted on a dedicated server leased from a Cork, Ireland-based firm called World Hosting Farm Limited, according to public WHOIS data.

Information Security Media Group has chosen to not publicize the attackers' domain name because it might aid their blackmail efforts.

Southwire wrote to WHFL, requesting that they cease and desist hosting a website that contained confidential, stolen information and victim lists, but received no response, the company's defense counsel told a court in Ireland on Thursday, TheJournal.ie reported.

As a result, the company sought a court injunction against the owner and director of WHFL, which is listed in Irish corporation records as Artur Grabowski of St. Budzynskiego, in Stupsk, Poland; the company's secretary, listed as a Dublin-based firm called Admiral Tax Limited; and Janusz Dybko, who is listed as being the contact person for the Maze address, TheJournal.ie reported.

Counsel told the court that WHFL is listed as having been dissolved, TheJournal.ie reported.

There is no indication that any of those individuals or corporate entities have anything to do with the Maze gang, aside from leasing hosting space that the Maze gang used to try and name and shame victims.

Maze Site Offline

As of Friday, the Maze gang's domain name no longer resolved to a working IP address.

Banner atop the Maze gang's site that listed purported victims that refused to meet its ransom demands, and which also published some information that had been stolen from victims. As of Jan. 2, the site was offline, thanks to a court injunction in Ireland.

ISMG has not received a response to a request for comment from Southwire's counsel, Jonathan S. Klein of New York-based law firm Mayer Brown LLP, on whether Southwire had attempted to work through U.S. law enforcement agency - such as the FBI - to work with their Irish counterparts and get the site taken down.

One likely possibility is that law enforcement agencies have been monitoring the website for clues to the Maze gang's identity. If gang members forgot to mask their IP address using a VPN or proxy server, for example, it could help investigators ascertain attackers' true identity (see: Analysis: VPN Fail Reveals 'Guccifer 2.0' is 'Fancy Bear').


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.