Blog
04.15.2020

Maze Ransomware Group Continues Attacks on Oil & CyberInsurance Giants

They’ve shown they’ll strike any industry, now even cyberinsurance - a field all others depend on for help when they’ve been breached.

Maze continues its rampage, adding the major cyber insurance company Chubb to its list of victims.

Chubb has said it’s investigating a security incident. It hasn’t called it a breach but data belonging to a third-party was accessed without authorization. Chubb’s spokesperson claimed there was no evidence indicating their own network was breached. However, the reputation Maze has earned in other attacks is plenty reason for concern that the hacker’s claim is true.

So far, Chubb hasn’t revealed any further details. Headquartered in Zurich, Chubb has 32,700 employees and yearly revenue of $34.2 billion.

Teaser Posts of Stolen Data Increases Pressure to Pay

Emsisoft’s threat analyst, Brett Callow, notified TechCrunch of the Chubb breach on Thursday March 26. Callow has confirmed that the ‘security incident’ was indeed ransomware from the Maze operators. Maze has an established method of infecting networks by encrypting every device it comes across. The group steals data, places it on their own servers and uses it to extort the ransom. The hackers threaten to publish the stolen data if the ransom isn’t paid. To prove they actually possess the exfiltrated data, they publish bits and pieces along with their threats.

On their website, the Maze operators have named the Chubb breach among their breached companies, saying the breach occurred earlier in March. It’s typical for them to mention the organization they’ve breached by name, followed by snippets of their data. They haven’t yet posted the stolen files but they claim they have the files and they included a list of three senior executive’s names and email addresses, the CEO among them. If Chubb doesn’t pay, more stolen information could be forthcoming soon. The ransom amount demanded from Chubb is not currently known.

Maze Has Established a Track Record

Maze came on the scene in May of 2019 and has been establishing its black mail pattern ever since. Their ransomware attacks have ramped up this year, after the FBI warned businesses last December that they expected to see Maze ransomware attacks increase. Sadly, that prediction continues to be spot on.

In recent months, they’ve targeted prominent enterprises, including government offices and agencies, law firms (five just in February this year), manufacturers, healthcare organizations and more. (See our article Maze Ransomware Attacks Surge in 2020, Demand Ransom, Expose Data)

The Maze Hacker Group Makes New Extortionist Actions Its Own

Maze’s practice of stealing data and publishing it as a means to put the squeeze on businesses to pay the ransom was their idea originally. Since then, other ransomware groups have copied the practice. Maze also publishes press releases about their conquests. The releases are similar in style to a typical company release, though often contain grammatical errors. Sometimes the Maze actors attempt to explain motives behind their actions. In March, they claimed their attacks are meant to call out flaws in cybersecurity.

That particular release said,

“We want to show that the system is unreliable. The cybersecurity is weak. The people who should care about the security of the information are unreliable. We want to show that nobody cares about the users. [...] Some people like Julian Assange or Edward Snowden were trying to show the reality. Now it’s our turn. We will change the situation by making irresponsible companies pay for every data leak.”

Recently they promised to stop attacking hospitals and healthcare orgs while the COVID19 pandemic is impacting the globe. Maze had already launched ransomware attacks on healthcare facilities in early March. Since then, the news of their activity appears to be focused on other industries.

“Due to the situation with the incoming global economy crisis and virus pandemic, our Team decided to help commercial organizations as much as possible. We are starting an exclusive discount season for everyone who has faced our product. Discounts are offered for both decrypting files and deleting of the leaked data. To get the discounts our partners should contact us using the chat or our news resource.”

A hack on a medical facility hit the news after that announcement, though it took place before their announcement on March 18. Maze struck Hammersmith Medicines Research in the UK, publishing the lab’s sensitive data on the website where they publish breached information. This data included medical test results and ID documents like passports. (See our article Maze & Other Ransomware Groups Say They Won’t Attack Hospitals During COVID-19 Outbreak--But How Trustworthy Is Their Word?)

Another New Maze Victim – An Algerian Oil Firm

On April 1, 2020, the Algerian joint US-subsidiary oil firm between Sonatrach and Anadarko, known as Berkine, became Maze’s new victim. Unfortunately not an April Fool’s prank, Maze took their entire database, more than 500MB of private documents of financial, strategic, production data and more. And true to form, Maze has published some of the data. Some of that info included cost per barrel, 2020 goals, budgets, and employee information.

ANSSI – the French National Agency for Security of Information Systems – has been studying the Maze group’s actions since January. They’ve noted in addition to the practice of placing stolen information on their own site as proof of their thefts, they have also posted that data on hacker forums for use in phishing efforts.

ANSSI determined also that the ransomware Maze uses is a variant of ChaCha20, a cryptographic algorithm. This algorithm is among the most feared of data encryption software. Thanks to their practices and this worrisome encryption method, the Maze ransomware group has quickly risen to the top as most intimidating cyberthreat to organizations around the globe.

What Can Businesses Do to Protect Themselves from Maze?

  • Follow best security practices
  • Educate employees about phishing – this maybe the best preventative measure you can take
  • Enable two-factor authentication on network devices and systems
  • Follow password management policy that enforces regular updates with strong password requirements
  • Ensure your third party vendors follow your security standards
  • Implement a reliable back up and recovery system, protected from network access
  • Protect applications and memory

Virsec’s Unique and Effective Application, Runtime and Memory Protection Stands Up to Ransomware

Virsec takes a unique approach to guard-railing your applications and countering a broad spectrum of cyber attacks, including ransomware attacks.

Only Virsec Security Platform Delivers:

  • Protection of application workflows, processes, file systems, libraries, memory and more at runtime
  • Precise attack remediation and automation early in the attack cycle without need for expert analysis or machine learning
  • Deterministic threat detection based on request deviations initiated by malicious code, remote hackers, files and trusted processes no matter how attacks originate.

Don’t leave your organization’s future to chance. Learn more about Virsec now.

Further resources:

White Paper: Making Applications Truly Self-Defending

Maze & Other Ransomware Groups Say They Won’t Attack Hospitals During COVID-19 Outbreak--But How Trustworthy Is Their Word?

Maze Ransomware Attacks Surge in 2020, Demand Ransom, Expose Data

Ransomware Attacks Rising Against Many Cities, Striking Local Governments & School Campuses

Ransomware Attacks Rising Against Many Cities, Striking Local Governments & School Campuses