The group behind Maze ransomware claimed responsibility for two massive cyber attacks this week. On Monday, December 9th, Southwire Company was hit by a ransomware attack that disrupted manufacturing and shipping at the Atlanta-based company. Two days later, the city of Pensacola, Florida, was infected with Maze ransomware, which could have potential links to a November ransomware attack on Allied Universal.
Maze ransomware, a variant of ChaCha ransomware, was initially discovered by Malwarebytes in May 2019. The ransomware is distributed using the Fallout exploit kit, via a fake site disguised as a legitimate cryptocurrency exchange application. Since the discovery of the ransomware, Maze has increased in activity, including an attack on security company Allied Universal in November.
While most ransomware variants solely encrypt a victim’s files and demand a ransom, Maze takes the cyberattack to a new level by exfiltrating data. In the Allied ransomware attack, the cybercriminals behind Maze ransomware demanded a $2.3 million ransom. However, Allied missed the deadline to pay up. The Maze group published 700 MB worth of data, which is only 10 percent of what the group claims to have stolen.
Pensacola Ransomware Attack
In an email sent to county commissioners, IT administrators said that the Florida Department of Law Enforcement is investigating a ransomware attack on the city of Pensacola. The Maze group quickly took responsibility for the incident and are demanding $1 million in ransom.
Officials say Pensacola’s systems are slowly coming back online, as the IT staff works to clear the system of the ransomware. It’s unclear whether the city plans on paying the ransom, and officials are unsure whether any residents’ personal information has been breached. Given Maze’s history of stealing data to encourage victims to pay the ransom, it can be assumed that some data was stolen from the city’s database.
Rumors are stirring that this ransomware attack could be linked to the cyberattack Allied suffered in November. Allied Universal has offices in Pensacola, and if there was any city-related information in the files stolen from that attack, the Maze group could have potentially used that information against the city in a phishing campaign. Another possibility is that if Allied provided security services to the city, the ransomware attack could have used Allied employees' credentials to move from one network to another.
Maze Ransomware Impacts Southwire’s Manufacturing
One of North America’s leading wire and cable manufacturers, Southwire, also fell victim to Maze ransomware. The company is facing a $6 million, or approximately 850 Bitcoin, ransom. In the ransom note, the Maze group claims the company’s data has also been exfiltrated and is ready to be published if the ransom is not paid.
The attack affected systems on a companywide basis; however, the company’s IT staff were able to get the company back online a day later.
“We immediately self-quarantined by shutting down the entire network,” commented Jason Pollard, vice president of Talent Acquisition and Communications for Southwire. “The incident did cause some disruption in our ability to make and ship our products.”
It’s currently unknown whether Southwire has paid the ransom, the deadline on when to pay, or if the Maze group has published any of the stolen data.
CryptoStopper by WatchPoint
CryptoStopper, developed by WatchPoint, can protect against Maze ransomware. CryptoStopper uses deception technology to detect ransomware. During the installation process, decoy files are strategically deployed. We call these Watcher Files. When ransomware begins the encryption process, CryptoStopper detects it in real-time and takes automated action to stop the attack in milliseconds and alerts you to the event.
Antivirus and firewalls no longer provide the protection you need to save your network from a ransomware attack.
Using deception technology and CryptoStopper is the only way to stop an actively running attack that has evaded your traditional defenses. Click here to learn more about CryptoStopper and how WatchPoint can help with your cybersecurity needs!
Photo courtesy of Hardsoft Systems Ltd.