Maze ransomware builds 'cartel' with other threat groups

Operators behind the Maze ransomware posted data leaks from competing ransomware gangs to their victim shaming website, suggesting they have joined forces.

While operators behind Maze ransomware have been exposing victims' data through a public-facing website since November 2019, new information suggests ransomware gangs are now teaming up to share resources and extort their victims.

On June 5, information and files for an international architectural firm was posted to Maze's data leak site; however, the data wasn't stolen in a Maze ransomware attack. It came from another ransomware operation known as LockBit.

Bleeping Computer first reported the story and later received confirmation from the Maze operators that they are working with LockBit and allowed the group to share victim data on Maze's "news site." Maze operators also stated that another ransomware operation would be featured on the news site in the coming days.

Three days later, Maze added the data for a victim of another competing ransomware group named Ragnar Locker. The post on Maze's website references "Maze Cartel provided by Ragnar."

Maze operators were the first to popularize the tactic of stealing data and combining traditional extortion with the deployment of ransomware. Not only do they exfiltrate victims' data, but they created the public-facing website to pressure victims into paying the ransom.

Data exposure along with victim shaming is a growing trend, according to Brian Hussey, Trustwave's vice president of cyber threat detection & response. Threat actors exfiltrate all corporate data prior to encrypting it and then initiate a slow release of the data to the public, he said.

"Certainly, we've seen an increase in the threat -- the actual carrying out of the threat not as much from what I've seen," Hussey said. "But a lot of times, it does incentivize the victim to pay more often."

Maze ransomware cartel
A recent posting on the Maze ransomware site shows victim data stolen by Ragnar Locker threat actors and refers to the 'Maze Cartel.'

There are dozens of victims listed by name on the Maze site, but only 10 "full dump" postings for the group's ransomware victims; the implication is most organizations struck by Maze have paid the ransom demand in order to prevent the publication of their confidential data.

Rapid7 principal security researcher Wade Woolwine has also observed an increase in these shaming tactics. Both Woolwine and Hussey believe the shift in tactics for ransomware groups is a response to organizations investing more time and effort into backups.

"My impression is that few victims were paying the ransom because organizations have stepped up their ability to recover infected assets and restore data from backups quickly in response to ransomware," Woolwine said in an email to SearchSecurity.

One of the primary things Trustwave advises as a managed security services provider, is to have intelligent, well-designed backup procedures, Hussey said.

"These new tactics are a response to companies that are mitigating ransomware risk by properly applying the backups. It has been effective. A lot of companies invested in backup solutions and design backup solutions to kind of protect from this ongoing scourge of ransomware. Now the response is even with backup data, if threat actors exfiltrate first and then threaten to release the private information, this is a new element of the threat," Hussey said.

When threat actors make it past the perimeter to the endpoint and have access to the data, it makes sense to steal it as further incentive for organizations to pay to unencrypt the data, Woolwine said. And the threat actors pay particular attention to the most sensitive types of data inside a corporate network.

"Initially, we were seeing exploit kits like Cobalt Strike used by the attackers to look for specific files of interest manually. I say 'look,' but the Windows search function, especially if the endpoint is connected to a corporate file server, is largely sufficient to identify documents that say things like 'NDA,' 'contract' and 'confidential," Woolwine said. "More recently, we've seen these searches scripted so they can execute more quickly."

According to Woolwine, phishing and drive-by continue to be preferred vectors of delivery for most ransomware attacks, but those techniques are shifting too.

"We also see attackers target specific internet-facing systems that have been unpatched, as well as targeting RDP servers with brute-force authentication attempts. In either case, once the vulnerability is exploited or the credentials guessed, the attackers will install ransomware before disconnecting," Woolwine said. "The rise in tactics is very likely due to the shift from ransom to data exposure. It's no longer about how many machines you can infect but infecting the machines that have access to the most data."

Hussey said these new tactics were unexpected at the time; they are the next logical step in the ransomware progression, and he expects more threat actors to adopt them in the future.

Dig Deeper on Data security and privacy