MAZE Exfiltration Tactic Widely Adopted

New research by New Zealand company Emsisoft has found that a cyber-blackmail tactic first debuted by ransomware gang MAZE has been adopted by over a dozen other criminal cyber-gangs.

The internationally renowned security software company declared a ransomware crisis in the last month of 2019. Their latest ransomware report shows that this particular type of malware has had a huge impact on the United States in 2020.

Emsisoft threat analyst Brett Callow described the numbers in “The State of Ransomware in the US: Report and Statistics 2020” as “pretty grim.”

At least 2,354 US governments, healthcare facilities, and schools were impacted by ransomware last year, including 113 federal, state, and municipal governments and agencies, 560 healthcare facilities, and 1,681 schools, colleges, and universities.

Researchers noted that the attacks “caused significant, and sometimes life-threatening, disruption: ambulances carrying emergency patients had to be redirected, cancer treatments were delayed, lab test results were inaccessible, hospital employees were furloughed and 911 services were interrupted.”

In 2020, MAZE became the first ransomware group to be observed exfiltrating data from its victims and using the threat of publication as additional leverage to extort payment. 

“At the beginning of 2020, only the Maze group used this tactic,” wrote researchers. “By the end of the year, at least 17 others had adopted it and were publishing stolen data on so-called leak sites.”

According to a November report by Coveware, some ransomware gangs that exfiltrate data don’t delete it, even after receiving a ransom from their victims. Coveware observed REvil (Sodinokibi) asking for a second ransom payment for stolen data it had already been paid to erase. 

Netwalker (Mailto) and Mespinoza (Pysa) were observed publishing exfiltrated data on dedicated leak-site portals despite receiving ransoms from their victims. 

Emsisoft found that in 2019 and in 2020, the same number of federal, state, county, and municipal governments and agencies were impacted by ransomware (113). 

“Of the 60 incidents that occurred in Q1 and Q2, data was stolen and released in only one case; it was, however, stolen and released in 23 of the 53 incidents that occurred in Q3 and Q4,” they wrote.

Leave a Reply