Threat actors have used Maze ransomware to attack two companies based in the United States.

Cybercriminal attacks employing ransomware for extortion are fast becoming notorious for the chaos they can cause within large-scale and smaller businesses, institutes and organisations around the world. The disruptive and destructive nature of these targeted attacks can cause both short and long-term harm to companies and, since 2019, the name Maze has become synonymous with ransomware.

As early as May of 2019, hackers have been actively employing Maze Ransomware to penetrate their intended victims’ data and publish it on a built-for-purpose site so that can be publicly viewed.

Maze operators have now added more victims to their list of successful data breaches in the form of two enterprises based in the US from the industrial sector.

A well-developed attack strategy

The attacks utilising Maze Ransomware managed to penetrate the defences of wire manufacturer Southeaster Wire and those of Koller Craft LLC, a manufacturing company that produces plastic components that have been injection moulded.

Maze ransomware typically makes use of Exploit Kits in conjunction with unsecure remote connections and phishing email schemes to infiltrate and access its targets systems. After breaching both companies’ data, the hackers used ransomware to encrypt stored information, blocking access to employees and management alike. Maze ransomware uses both ChaCha20 and RSA (Rivest Shamir Adleman) encryption to lock companies out of their confidential data.

Maze Ransomware operators have reportedly now stolen millions of records stored on the companies’ compromised servers using this technique. A ransom note was then left on the server demanding a payment for release of the sensitive information, with a threat indicating that it will be shared on a public-facing website if the companies do not pay the requested amount.

To prove that their threats are not empty, the Maze ransomware operators’ next move is to leak a partial amount of the stolen data online, to compel the companies to meet their demands. Already, 20GB of confidential data belonging to Southwester Wire has been leaked by the operators, as well as an an unconfirmed quantity of private information from Koller Craft LLC. Under analysis by cybersecurity specialists the information apprehended by the threat actors has been confirmed to contain highly confidential data including tax-related files, production data and payroll records, among others.

Recent ransomware attacks by Maze

Data Breaches designed to disrupt and extort payments have been making headlines lately and these are not the first attacks attributed to Maze ransomware operators. Last month the cybercriminals compromised IT service giant Cognizant, causing a loss estimated at between £40m and £60m. Chief Financial Officer for Cognizant, Karen McLoughlin commented that this figure was would rise further due to additional costs linked with the investigation, including unknown legal and consulting fees. On top of this she added were the cost of restoring service and fixing the data breach.

Maze operators were also responsible for the December 2019 attack on the City of Pensacola, where they requested $1m in return for encrypted data.