July 08, 2020

Eliminate the Threat of Exfiltrative Extortive Ransomware

In its initial iteration, ransomware used encryption to lock down a victim’s data and extended the “courtesy” of notifying victims that an exploit has occurred and demanded payment in exchange for instructions on how to recover their data. Infections would often start with someone clicking on a seemingly innocent attachment in an email.

We should expect ransomware to evolve in sophistication as enterprise security vendors develop solutions to defend against it and organizations establish more mature security postures. But, in the labyrinth of the ransomware world, there is one standout leading the charge to grow a global cybercrime syndicate and communications platform that rivals those of most enterprises: Maze.

Not Your “Run-of-the-Mill” Ransomware

The Maze ransomware first appeared in May 2019. Previously known as ChaCha ransomware, Maze built onto a traditional distribution path that relied on user interaction and added exploit kits that made use of drive-by downloads. Initial compromises into organizations include downloaded documents, logins via remote desktop protocol (RDP), exploitation of misconfigured devices and weak passwords on various applications. Maze establishes its foothold, escalates privileges, conducts reconnaissance, and then moves laterally across the network with credentials it has harvested along the way before completing its mission.

What makes Maze dangerous is its business model. Maze operators have adopted an affiliate ecosystem to their ransomware-as-a-service business model. This approach has ransomware developers partnering with other “affiliates” who are responsible for distributing the malware. If a victim decides to pay the ransom, the ransomware developers receive a commission. Affiliates partner with others for specific tasks associated with a Maze campaign and pay them either a percentage of the collected ransom or a full salary. This ecosystem delivers efficiency and allows everyone involved to profit, which can attract more affiliates and lead to more attacks.

To Pay or Not to Pay?

That is the question. With conflicting guidance from cyber-insurance companies and law enforcement agencies on giving in to ransomware demands, organizations are left to fend for themselves to determine if paying the ransom is a logical recovery path, despite the cost.

Being a ransomware victim can go beyond the financial and technical ramifications and have a significant psychological impact. It’s bad enough to have all of your data encrypted and held for ransom. You’re left with lost business, time, wages, files, equipment, and footing the bill for third-party remediation services. Now add Maze to the equation. Building on ransomware’s base value proposition, Maze kicks it up a notch to “turn prospects into paying customers.”

Historically, ransomware attacks were focused on encrypting a victim’s data and demanding a ransom, but in November 2019, Maze added a “data breach” component by exfiltrating critical data. With data in hand, Maze operators have significant leverage and can now threaten to publish your dirty laundry on the Maze News website and “shame” you if you don’t pay the ransom.

To add even more insult to injury, even your backups are not safe against Maze. After infecting an initial endpoint, Maze targets your cloud backups by laterally spreading through your network and stealing needed credentials. Maze can then delete your backups, where your valuable data most likely resides, before encrypting your only remaining copies.

“Hack of Shame”

Maze’s pioneering efforts on their communications and public relations strategy has inspired others in the hacking world and has even prompted an FBI alert. Other ransomware families have adopted Maze’s approach and some have joined forces to develop an extortion cartel to share resources and a common platform. Despite efforts to take down the Maze News site, Maze operators have been successful in keeping the site alive, and have started to showcase their collaboration efforts. The public shaming of organizations and exposure of sensitive data to the public and their competitors can also lead to regulatory fines if the exposed data includes personally identifiable information and cause headaches in the courtroom.

After the hackers behind Maze initiated their shame campaign in late 2019, one of the first Maze victims to have their data published was Allied Universal. Maze operators posted almost 700 MB of leaked files, including termination agreements, contracts, medical records, and signing certificates after a deadline was missed for receiving a ransom payment.

On April 17, 2020, the IT services company Cognizant was hit by Maze, affecting its internal systems and some of its clients. Current estimates show that Maze will cost the company between $50M-$70M over the next three months, and additional costs will be incurred throughout the year as it works to restore its computer systems.

Maze ransomware operators issued a press release on June 22, 2020, claiming that they were able to steal 40GB of Python code from LG Electronics that included proprietary information for projects involving large companies in the US, one of them reported being AT&T. As proof, Maze released three screenshots that revealed information on software update releases and LG product source code.

Several other organizations have been affected by Maze, and while those names may have been in the news, they may not be on the Maze News site. Some have speculated that Maze operators are holding off on publishing data pending the outcome of their negotiation efforts.

How Atakama Defends Against Maze Ransomware

With ransomware damage costs predicted to reach $20 billion by 2021, Atakama is uniquely equipped to address the growing Maze ransomware pandemic and those following in its footsteps. Without traditional authentication mechanisms like passwords that can be easily compromised, files protected by Atakama remain encrypted at rest, even if a hacker is able to gain access to your network. Since the hackers would only be able to exfiltrate encrypted files, they would be useless to them since they need both physical and digital access to trusted devices. Atakama essentially inoculates against Maze’s attempt to collect a ransom or publicly post any sensitive data.

Atakama is compatible with all major desktop and mobile platforms, as well as cloud storage services including Box, Dropbox, Google Drive and OneDrive, so your data is secure and in sync no matter the mix of your systems and devices.

Request a live demo with one of our engineers to see how Atakama can protect you from Maze and other exfiltrative extortive ransomware.


Ready to try Atakama?

Request Demo