Ransomware Attackers Leak Stolen DataMaze Crew Reportedly Threatens to Release More of Allied Universal's Data Unless Ransom Paid
Ransomware attacks have taken an unwelcome turn: The Maze gang reportedly has begun leaking a victim's files to create pressure to pay a ransom.
See Also: Ransomware Recovery in the 'New Normal'
Security experts say that leaking data as part of a ransomware shakedown isn't a surprising turn of events. But it's unclear whether this tactic will catch on, they say, because simpler ransomware attacks tend to be much more lucrative than attacks that involve data exfiltration.
Even so, the group using Maze ransomware published almost 700 MB of data that it stole from Allied Universal, a California-based security services firm with a valuation of about $7 billion, Bleeping Computer reports.
The "Maze Crew" tells Bleeping Computer that the leak only represents a fraction of the 5 GB of data they stole, and that they'll dump the rest - sending it to WikiLeaks - unless Allied Universal coughs up a ransom of 300 bitcoins, currently worth about $2.1 million.
The attackers also claim to still have access to Allied's site and to have stolen TLS and email certificates that they could use to impersonate the security firm via email spam campaigns.
After attackers uploaded what it said was a sample of the stolen data to Bleeping Computer's forums, the publication said it immediately deleted the data, but it noted that attackers had also uploaded it to a Russian language cybercrime forum and reported that they're now demanding closer to $4 million. Allied Universal had said it would pay no more than $50,000, the publication reports.
In addition to the previous types of data, this batch also included encryption certificates, directory listings, and exported users from active directory servers. pic.twitter.com/CCZnWGEE2z— BleepingComputer (@BleepinComputer) November 22, 2019
The company declined to comment on that report, but did confirm its investigation. "Allied Universal is aware of a situation that may involve unauthorized access to our systems," a spokeswoman tells Information Security Media Group. "With the assistance of leading cybersecurity experts, we have taken immediate and appropriate actions to investigate the matter and reinforce our system security. We are also working closely with law enforcement on their investigation into this matter. Keeping our company data safe and that of our customers and employees is of paramount importance."
The relatively new Maze ransomware, also known as ChaCha, has been tied to a number of attacks that since October have targeted organizations in Germany, Italy and the United States. Spam emails sent by the Maze group often lead to domains that impersonate legitimate government websites - including the German Federal Ministry of Finance, the Italian Revenue Agency and the U.S. Postal Service - according to Proofpoint, which refers to the Maze gang as TA2101.
In some cases, the attackers have emailed malicious Microsoft Word attachments to victims with macros which, if run, execute a PowerShell script that downloads Cobalt Strike, a legitimate penetration testing tool that's been repurposed by the attackers. In other cases, Proofpoint says, the malicious payload has been Maze, or, in the U.S., the IcedID banking Trojan.
In July, VMware's Carbon Black noted that Maze was being distributed by the Fallout exploit kit. Fallout has also been tied to distributions of Sodinokibi, as well as AZORult, Kpot, Raccoon and Danabot, according to Malwarebytes (see: Sodinokibi Ransomware Gang Appears to Be Making a Killing).
In October, an independent security researcher found Maze being distributed via the Spelevo exploit kit, which was targeting a Flash vulnerability for which a patch is available.
The Maze gang's attempt to force a ransom payment "indicates a natural progression in the threat actors' focus," says David Stubley, CEO at 7 Elements, a security testing firm and consultancy in Edinburgh, Scotland (see: Ransomware Gangs' Not-So-Secret Attack Vector: RDP Exploits).
"With the rise of additional mitigation and recovery options that help organizations avoid paying the ransom, the next stage is to force payment, and it would be easy for the actor to post a number of example files to Pastebin," perhaps initially in an encrypted format, while threatening to post a decryption key, Stubley tells ISMG.
Attackers already regularly threaten to increase their ransom demands the longer a victim doesn't pay. In theory, it would be a small leap for them to begin automatically leaking stolen files as well or publishing decryption keys for files that they have already uploaded to Pastebin or released via BitTorrent to increase the pressure on victims.
"Ever since the Chimera ransomware at the end of 2015, 'doxware' has been considered by us and many others as a logical next step in the more general, malware-driven cyber extortion business," says Fabian Wosar, CTO of anti-virus firm Emsisoft. In the case of Chimera, for example, the ransomware not only crypto-locked data, but threatened to dump it. "The threat to reveal confidential and sensitive data stolen by the attackers was only a bluff back then, but it has become a reality now, almost four years later."
Extortionists often seek whatever leverage they can find. "Maze themselves pointed out that the data is unimportant to them," says Bleeping Computer's Lawrence Abrams. "They don't want to monetize it on its own, but to use it purely as leverage to get the company to pay the ransom."
So, are shakedowns that include ransomware as well as data leakage likely to flourish?
"In our experience, data exfiltration is just a threat in ransomware attacks," Bill Siegel, CEO of ransomware incident response firm Coveware, tells ISMG. "We are seeing this threat more often, but so far have not seen instances where the threat was actually validated or carried out" (see: Ransomware Gangs Practice Customer Relationship Management).
While ransomware attackers regularly threaten to dump stolen data - as in the recent attack against the city of Johannesburg - it's almost always an empty threat.
With the Allied Universal data leak, "it's the first time this has happened, as far as we know," says Brett Callow, a spokesman for Emsisoft.
Ransomware Versus Data Exfiltration
Economics is one explanation. "Data exfiltration as an extortion tactic is not terribly lucrative as compared to ransomware," Siegel says. "If a company finds out its data has been breached, the damage is done. Paying the criminal is pointless, and the criminals know that. Ransomware, on the other hand, causes downtime, and downtime can bankrupt a company."
Attackers with the skills required to first gain remote access to a targeted network - for example, via remote desktop protocol credentials they purchased on cybercrime forums - tend to carefully map the network and steal all potentially valuable data before sometimes selling access to the hacked network to others, security experts say.
"Remember, the ransomware itself may not need to have the exfil ability; if threat actors have gained access via RDP, for example, they have full access to the network for doing so," 7 Elements' Stubley says.
"If [attackers] find data of value, they exfiltrate it and monetize it, and when they are done, they sell off access credentials to a ransomware group," says Coveware's Siegel. "Deploying ransomware and exfiltrating data require very different skill sets in terms of criminal tradecraft."
Ransomware also represents the final stage of an intrusion, because it is noisy: Being unable to use PCs is an obvious sign something has gone wrong, and victims will know their network has been penetrated and can take steps to kick out attackers and block follow-on hack attempts.
But whether more ransomware shakedowns get accompanied by actual data leakage remains to be seen.