One of the reasons for refusing to pay criminals after a ransomware infection is to cut off their revenue stream. For at least one ransomware group, the prospect of not getting paid has encouraged them to raise the stakes: if the victims don’t pay, the group publicly releases the data.
The city of Pensacola, Florida, was hit by ransomware over the weekend, and the IT department disconnected computers from the network to contain the malare. An email sent to county commissioners by the county IT staff said that the Florida Department of Law Enforcement believed the ransomware was the same as the one used last month against California-based security company Allied Universal. Bleeping Computer had an email exchange with someone allegedly behind the Maze ransomware, who claimed responsibility for the infection and demanded $1 million in ransom.
The Maze ransomware is different from other ransomware strains in that the malware copies the files to servers under the attackers’ control before encrypting the local copies. When Allied Universal missed the deadline to pay the (approximately) $2.3 million ransom, the group behind the malware published almost 700 MB worth of data and files stolen from the company. According to Bleeping Computer, the published data was only 10 percent of what had been stolen, and the group threatened to release the rest if the company did not pay the increased ransom.
The group said it copies the files in order to have the upper hand in negotiations. Victim organizations who otherwise may be willing to undertake the arduous process of rebuilding and restoring its systems instead of paying the ransom may reconsider at the prospect of having the data exposed publicly. The group claimed it doesn’t keep the data after being paid because “it is not really interesting,” according to Bleeping Computer. “We are neither espionage group nor any other type of APT.”
Maze also told Bleeping Computer the group purposely avoids encrypting systems for “socially vital objects” such as 911 and medical care centers. If files on those systems get encrypted, the group decrypts those systems for free.
Previously, the calculus of deciding whether or not to pay considered things like how long it would take to restore the data from backups, to clean up the systems to remove all traces of the infection, and the impact of downtime (and unavailable services). With Maze, there is the prospect of potentially sensitive information being exposed—such as personally identifiable information, customer lists, and intellectual property—if the ransom isn’t paid. Even if the organization can afford to rebuild and restore on its own, they may feel the pressure to pay just to keep the files out of public domain.
Maze isn't the first group to steal the data from its victims. The group responsible for the RobbinHood ransomware infection that crippled Baltimore in May also stole files. The screenshots of some of the files were posted on a Twitter account to encourage city officials to pay.
For Maze’s victims, the fact that the attackers have exfiltrated the data means the incident is a data breach as well as a malware infection. This changes the incident response playbook, as the IT department will have to loop in legal and other departments to consider what additional steps will be necessary to recover from the infection.
A worrying possibility
There is a possibility that the incidents at Allied Universal and Pensacola may be connected. Allied Universal has offices in Pensacola, and if there was any city-related information in its files, the group behind the infection could have potentially used that information against the city. A phishing campaign may have been how the Maze group managed to infect Pensacola's systems.
If that is the case, then this ransomware incident is following the pattern of previous data breaches, where attackers craft secondary campaigns using information stolen from the first one.
Another possibility is that if Allied provided security services to the city, the infection could have piggybacked on an Allied employee to move from one network to another. This turns the ransomware attack into data breach using a third-party supplier.
The evolution of ransomware infections being a precursor to attacks on other organizations is a highly concerning one. While just speculation at this point, the fact that this scenario may be possible highlights how a security incident at one organization puts others at risk, said Brett Callow, a spokesperson for antivirus company Emsisoft.
“[B]etter reporting and information sharing are needed,” Callow said.