What one cybersecurity company has learned from responding to Maze ransomware

Written by

When hackers lock the computer systems of a big company with ransomware, the gears of corporate damage control kick into action. Lawyers are mobilized, spokespeople are tight-lipped, and negotiation experts are sometimes brought in to talk to the hackers. Those triage teams strictly limit the information on the incident available to the public.

But forensic experts hired to salvage a company’s computers sometimes reveal the important data they collect on ransomware gangs. Case in point: A new report from cybersecurity company FireEye helps demystify Russian-speaking hackers behind a spate of recent ransomware attacks in hopes of making them easier to disrupt.

Maze ransomware has wreaked havoc across North America and Europe in the last year, leading to warnings from the FBI and the Department of Homeland Security. They have hit over a dozen sectors, from construction to financial services to transportation. But some of the hackers’ most effective tactics are less novel than reflective of broader trends of how savvy ransomware gangs operate, according to Mandiant, FireEye’s incident response team. Maze is a microcosm for a type of criminality that needs to be studied carefully to be countered.

Like others involved in ransomware, the people behind Maze are not one group but a series of distinct teams with specialties, according to Mandiant. One team develops the malware, another distributes it and, when the victim pays a ransom, the developers get a commission.

This leads to jockeying among criminals looking to maximize their profits.

“Some teams offer better margins,” Kimberly Goody, a senior manager at Mandiant’s threat intelligence unit, said in an email. “So if you are a talented operator, you may be able to negotiate or join a team offering a higher percentage payout.”

The degree of specialization is striking. Maze affiliates have scoured underground forums for “penetration testers” to be the tip of the spear in attacks, said Jeremy Kennelly, manager of analysis in the same Mandiant unit. That’s because Maze, like other ransomware actors, is increasingly going further into organizations’ networks to siphon out data before locking up computer systems. If organizations don’t pay up, their data gets dumped publicly.

Experts expect this one-two punch of data theft and system locking to be increasingly deployed by ransomware gangs.

“Maze was one of the first families to start exfiltrating data for the main purpose of using as leverage to force victims to pay; this has since become a sinister trend within the cybercriminal community,” said John Fokker, Principal Engineer and head of cyber investigations at McAfee.

Fortune 500s in the crosshairs

One of Maze’s biggest scalps was the multibillion-dollar IT services company Cognizant, which has clients in the banking and oil and gas industries. Despite a reported denial of involvement from the hackers themselves, Maze’s fingerprints were on last month’s attack that disrupted Cognizant’s work with its clients. Cognizant hired Mandiant to clean up the mess.

In an earnings call Thursday, Cognizant CEO Brian Humphries said that the incident would hurt the company’s second-quarter revenue in part because some clients cut off Cognizant’s access to their networks as a security precaution. It’s another example of how ransomware gangs can make life hell for a Fortune 500 company and the clients who rely on it.

The FBI has appealed to victims for more data to try to track down some of the more rampant digital thieves like Maze. The data released Thursday by Mandiant could help with those investigations.