The Maze ransomware is likely the culprit behind the recently reported cyberattack on Pensacola, Fla. that occurred earlier this week, which downed systems citywide.
In an email sent to county commissioners, IT administrators said that the Florida Department of Law Enforcement said that the Pensacola attack was indeed ransomware, and Maze operators quickly took responsibility for the incident, saying that they are demanding $1 million in ransom.
As of Wednesday, Pensacola’s systems were slowly coming back online, as IT staff cleared the network of malware, officials told the Pensacola News Journal (online payments for Pensacola Energy and city sanitation customers remained down). It’s unclear whether the city is paying the ransom, but officials did say they don’t know yet whether any residents’ personal information has been breached.
The data breach fears are particularly relevant given that Maze has a quirk not found in most ransomwares: In addition to encrypting files and offering the decryption key in exchange for a ransom payment, it also automatically copies all affected files to the malicious operators’ servers, according to researchers.
“For Maze’s victims, the fact that the attackers have exfiltrated the data means the incident is a data breach as well as a malware infection,” explained Duo Security, in a posting on the Florida incident on Wednesday. “This changes the incident response playbook, as the IT department will have to loop in legal and other departments to consider what additional steps will be necessary to recover from the infection.”
For instance, some organizations and municipalities have refused to pay ransoms, in an effort to cut off the cybercriminals’ revenue streams and avoid becoming repeat victims. The decision to pay or not to pay typically comes down to whether it’s possible to restore the data from backups, and weighing cost factors, such as the cost of downtime and cleanup efforts.
“With Maze, there is the prospect of potentially sensitive information being exposed—such as personally identifiable information, customer lists and intellectual property—if the ransom isn’t paid. Even if the organization can afford to rebuild and restore on its own, they may feel the pressure to pay just to keep the files out of public domain,” according to Duo Security researchers.
Maze ransomware, a variant of ChaCha ransomware, was initially found by Malwarebytes security researcher Jérôme Segura in May. He observed the previously unknown ransomware being distributed using the Fallout exploit kit, via a fake site camouflaged as a legitimate cryptocurrency exchange app. Since then, it has cropped up in a number of attacks, including one on security company Allied Universal last month.
According to reports, the crooks in that attack asked for a $2.3 million ransom in exchange for the decryption key and a promise not to release the company’s data. When Allied Universal missed the deadline to pay up, the Maze group published 700 MB worth of data (only 10 percent of what the crooks claimed to have stolen).
Also in November, a new threat actor was seen impersonating the U.S. Postal Service (USPS) and other government agencies to deliver and install both Maze and backdoor malware to various organizations in Germany, Italy and the United States, according to Proofpoint.
Duo Security noted that it’s a “worrying possibility” that the Pensacola attack is linked to the Allied Universal debacle.
“Allied Universal has offices in Pensacola, and if there was any city-related information in its files, the group behind the infection could have potentially used that information against the city [in a phishing campaign,” according to Duo Security. “Another possibility is that if Allied provided security services to the city, the infection could have piggybacked on an Allied employee to move from one network to another. This turns the ransomware attack into data breach using a third-party supplier.”
This brings up the possibility that attackers are crafting secondary campaigns using information stolen from the first one – potentially setting up a scenario of continuously cascading follow-on attacks.
“The evolution of ransomware infections being a precursor to attacks on other organizations is a highly concerning one,” Duo Security noted. “[This] highlights how a security incident at one organization puts others at risk.”
For its part, in an interview with Bleeping Computer, the Maze group taking responsibility for Pensacola said that it doesn’t use the data for any purpose other than extortion. “We are neither espionage group nor any other type of APT,” the criminal group told the publication. The group also said that it’s not interested in “socially vital objects” such as 911 and medical care centers, and that it attempts to avoid encrypting essential public-safety services.
According to Kaspersky security experts, 2019 has seen a significant spike of ransomware attacks on municipalities. In a report this week, the firm said that municipal ransomware is “the story of the year,” with at least 174 municipal institutions and more than 3,000 subset divisions having been targeted in 2019. This represents a 60 percent increase from last year.
In analyzing publicly available information, Kaspersky also found that ransom demands have varied greatly with highs reaching up to $5.3 million to $1 million on average.
The firm noted that while these targets might be less capable of paying a large ransom, they are more likely to agree to cybercriminals’ demands, given that blocking any municipal services directly affects the welfare of citizens in financial losses as well as other significant and sensitive consequences.
“One must always keep in mind that paying extortionists is a short-term solution which only encourages criminals and keeps them funded to quite possibly repeat the same acts,” said Fedor Sinitsyn, a security researcher at Kaspersky, in a statement. “In addition, once a city has been attacked, the whole infrastructure is compromised and requires an incident investigation and a thorough audit.”
While Maze appears to be an up-and-coming threat, the top ransomware families Ryuk, Purga and Stop topped Kasperksy’s list of municipal malware. All of them have unique attack characteristics that cities should be aware of, experts report.
“Ryuk…[has a] distribution model [that] usually involves delivery via backdoor malware which spreads by the means of phishing with a malicious attachment disguised as a financial document,” according to the report. “Purga malware has been recognized since 2016, yet only recently municipalities have been discovered to fall victims to this trojan, having various attack vectors from phishing to brute-force attacks. Stop…propagates by hiding inside software installers.”
Ryuk is particularly notorious. It’s a ransomware strain distributed by the Russian-speaking Wizard Spider financial crime syndicate, first spotted in August 2018. Since then, it has been involved in several high-profile attacks, such as a coordinated, targeted ransomware cyberattack on 23 Texas local and state entities in August.
Despite the fact that the decision to pay the ransom has several dimensions that will be unique to each victim (including, now, the threat of a data breach), some researchers urge those affected to consider payment a public disservice.
“As long as we as a society continue paying ransoms, these attacks will continue,” Cody Brocious, hacker and head of Hacker Education at HackerOne, via email. “Maintain regular (offline!) backups, keep your systems up to date, and don’t pay ransoms, if you do happen to get hit. At this point, it’s akin to choosing not to get a flu shot; sure, if you’re healthy then you’re not likely to die from the flu, but you may transmit it to someone who will. Giving in to these criminals is acting against the public good, which just ends up protecting organizations from the consequences of not taking their data seriously.”
Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.