Maze ransomware is a complex piece of malware that uses some tricks to frustrate analysis right from the beginning. The malware starts preparing some functions that appear to save memory addresses in global variables to use later in dynamic calls though it does not actually use these functions later. The operators of the Maze ransomware have published tens of GB of internal data from the networks of enterprise business giants LG and Xerox following two failed extortion attempts.
The hackers leaked 50.2 GB they claim to have stolen from LG's internal network, and 25.8 GB of Xerox data. While LG issued a generic statement to ZDNet in June, neither company wanted to talk about the incident in great depth today. Both of these leaks have been teased since late June when the operators of the Maze ransomware created entries for each of the two companies on their "leak portal."
The main goal of the ransomware is to encrypt all files that it can in an infected system and then demand a ransom to recover the files. However, the most important characteristic of Maze is the threat that the malware authors give to the victims that, if they do not pay, they will release the information on the Internet. The Maze gang is primarily known for its eponymous ransomware string and usually operates by breaching corporate networks, stealing sensitive files first, encrypting data second, and demanding a ransom to decrypt files.
If a victim refuses to pay the fee to decrypt their files and decides to restore from backups, the Maze gang creates an entry on a "leak website" and threatens to publish the victim's sensitive data in a second form ransom/extortion attempt. The victim is then given a few weeks to think over its decision, and if victims do not pay during this second extortion attempt, the Maze gang will publish files on its portal
LG and Xerox are at this last stage, after apparently refusing to meet the Maze gang's demands. Based on screenshots shared by the Maze gang last month and by file samples downloaded and reviewed by ZDNet today, the data appears to contain source code for the closed-source firmware of various LG products, such as phones and laptops.
In an email of June 2020, the Maze gang told ZDNet that they did not execute their ransomware on LG's network, but they merely stole the company's proprietary data and chose to skip to the second phase of their extortion attempts. "We decided not to execute [the] Maze [ransomware] because their clients are socially significant and we do not want to create disruption for their operations, so we only have exfiltrated the data," the Maze gang told ZDNet via a contact form on their leak site.
When reached out for comment in June, the LG security team told ZDNet they would investigate the incident and report any intrusion to authorities. In a follow-up email sent today, after the Maze gang published more than 50 GB of the company's files, the security team deflected our request for comment towards its communications team. When we reached out to the communications team, our email bounced, like what happened in June.
But while we have somewhat of an idea of what happened with the Maze attack on LG, things are a lot murkier when it comes to Xerox. The company has not returned requests for comment sent in June and August 2020.
It is unclear what internal systems the Maze gang encrypted, or if files were stolen and ransomed without encryption, like the LG incident. Based on a cursory review of data leaked online in August, it appears that the Maze gang has stolen data related to customer support operations. At the time of writing, we found information related to Xerox employees; however, we have not yet found files holding data on Xerox customers although, this is a large trove of information and reviewing all of it will take time.
Red Sky Alliance has been has analyzing and documenting cyber threats for 8 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. Ransomware protection is included at no charge for RedXray customers.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
Interested in a RedXray demonstration or subscription to see what we can do for you? Sign up here: https://www.wapacklabs.com/redxray
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941