Latest Named Victims Include Engineering Firm, Furniture Manufacturer, Pet Spa
The Maze ransomware gang is continuing to exfiltrate data from victims before crypto-locking their systems, then leaking the data to try to force non-payers to accede to its ransom demands.
Don't want to play ransomware gangs' latest games? Then ensure your firm has a solid ransomware response plan in place, including the ability to wipe and restore systems in the event that crypto-locking malware gets through. Otherwise, your organization risks not only showing up on one or more gangs' data-leaking sites, but also potentially having to consider paying a ransom to get encrypted data back (see: Crypto-Lock and Tell: Ransomware Gangs Double Down on Leaks).
"If you do pay, you have to recognize that this is not like paying a corporate bill."
The latest victim proclaimed by Maze: Toronto-based CSA Group Testing & Certification (csagroup.org), which tests, inspects and certifies products worldwide to ensure they comply with relevant safety, environmental and operating performance standards. Formerly known as Canadian Standards Association, CSA's work includes testing and certifying personal protective equipment.
The good news, however, is that Maze, in fact, apparently didn't hit that organization, which is doing essential tests on PPE during the COVID-19 pandemic.
The gang appears to have confused that organization with another CSA Group (csagroup.com), which is an engineering program management firm based in New York that unfortunately appears to have had corporate data stolen before its systems were encrypted. CSA Group didn't immediately respond to my request for comment.
Maze continues to maintain a "news" site, where it's listing dozens of victims as it attempts to name-and-shame them into paying. If that doesn't work, then it tries to increase the pressure to pay by leaking stolen data.
In recent days, Maze's site has listed many new victims, including semiconductor manufacturer MaxLinear, which this week confirmed that it got hit by Maze in April and that some "proprietary information" got stolen. On Monday, Maze began leaking data it stole from MaxLinear.
The same goes for CSA: So far Maze has released three zipped archives containing alleged CSA data, including contract and purchase orders for the engineering firm.
Other organizations recently named as being victims on Maze's site also include:
"Represented here companies do not wish to cooperate with us, and trying to hide our successful attack on their resources," Maze's site states. "Wait for their databases and private papers here."
Maze blazed the data-leaking trail last November, quickly followed by other groups wielding ransomware such as DoppelPaymer, MegaCortex, Nemty, Snatch and Sodinokibi, aka REvil.
In recent weeks, Maze has also joined forces with other gangs to host their leaks on its site. The RagnarLocker gang, meanwhile, has begun cross-posting Maze's leaks (see: 7 Ransomware Trends: Gangs Join Forces, Auction Stolen Data).
But not everyone gives in to these groups' ransom demands, even when backed by the threat of data leaking.
The Maze gang's leaks site, for example, also hosts "full dumps" for at least 10 organizations that didn't pay, leading to the gang publishing all of the information it stole in an attempt to scare future victims into paying.
Security experts say the best defense against ransomware remains preparation (see: Surviving a Breach: 8 Incident Response Essentials).
By having good security defenses in place, and up-to-date backups stored offline - so they cannot be crypto-locked by ransomware - victims can wipe and restore systems. This still takes time and energy, and doesn't address the root cause of how attackers infected systems in the first place, which organizations must also ascertain. But this strategy avoids victims having to even consider whether or not they might pay criminals.
The U.S. Cybersecurity and Infrastructure Security Agency offers a detailed list of additional best practices for defending against ransomware. For organizations or individuals that fall victim, it recommends reporting the incident immediately to CISA, or a local FBI or U.S. Secret Service field office, to potentially receive help for dealing with that particular strain.
Seeing gangs such as Maze continuing to notch new victims is a reminder to all organizations to get a ransomware-response plan in place - including training employees - immediately if they don't already have one.
Security firm Kaspersky surveyed 2,000 business employees in the U.S. and another 1,000 in Canada last November and found that 45% said they didn't know what to do if they got hit by ransomware.
While leading the response would arguably be the job of management - backed by the security team and in-house counsel, for starters - training employees in how to recognize and respond to ransomware remains essential, experts say. (Kaspersky's tip: Disconnect any systems that appears to have been infected with ransomware from the internet and local networks as quickly as possible, but do not turn it off.)
Unfortunately, too many organizations don't seem to be well-prepared.
"Many organizations discover that something that they would have thought about years ago, like backup, is something that didn't get really thought about in a long time," says Alan Brill, senior managing director in Kroll's cyber risk practice. "They maybe said: Well, we have backup, it's on the cloud and so we don't have to worry about it."
That might be true, at least until ransomware attackers forcibly encrypt the backups too.
In such cases, paying criminals for the promise of a decryption tool is no panacea because it directly funds cybercrime (see: Ransomware Reminder: Paying Ransoms Doesn't Pay). Regardless, Brill recommends working with experts who have handled these sorts of incidents before and who know the ins and outs of different strains of ransomware and attack groups. Any organization that holds a cyber insurance policy that includes ransomware coverage, for example, will already have access to these types of resources.
"If you do pay, you have to recognize that this is not like paying a corporate bill," Brill tells me. "You're dealing with criminals, and you might get a fully functional key, you might get a nonfunctional key. You might get a key that only opens certain files, and they come back for a second payment to get the rest of the files. It might decrypt everything but what you don't realize is they already have a copy of it, so you have an actual data breach. Or you might never hear from them again: They just took the money and ran."
Really, who wants to play that game? That's why it's always better to prepare.