Maze Ransomware Attacks Surging in 2020, Demanding Ransom, Exposing Stolen Data

FBI issuing repeated warnings

In early January this year, the FBI released increased warnings about Maze ransomware attacks. As a ploy to steal data, cybercriminals are pretending to be government agencies or security vendors. And they've been extorting victims beyond ransomware demands.

The Maze hacker group has been active and gaining attention since in November 2019. They began using the extortion tactic of threatening US organizations with publicizing their stolen data as a way of forcing victims to pay their ransom. At the end of last year, the hackers notified sites like that they had victims’ stolen data and they were holding it with plans to publish it later if ransoms weren’t paid.

Victims Extorted by Having Their Stolen Data Published Online

One such Maze victim, a cable and wire manufacturer company in Georgia called Southwire, would not pay the $1.7M ransom demand. When the hackers published their stolen data on a website named something close to “mazenews,” Southwire filed an emergency injunction to force the hackers to remove the information and prevent them from releasing additional data. A judge issued the order which did force the website to be taken down within 24 hours. However, the Maze hackers simply registered two new domains outside US jurisdiction in Singapore and China and within days, resumed publishing Southwire’s stolen data under those new site domains. That data remains published and the hackers have continued with data releases since.

The Maze hacking group is continuing to deploy its ransomware and is publically naming the organizations it claims to have hacked if they’ve refused to pay the demanded ransom. They’ve threatened to expose private information from three law firms in South Dakota if their demands weren’t met.

The Medical and Healthcare Community a Prime Maze Target

Ransomware attacks against the medical community have been on the rise and the Maze attackers have struck medical providers across the US. How many attempts have been made and how many have been successful overall isn’t known because not all of them are disclosed. But increasing numbers of healthcare breaches have been made public in the last year.

In one example of a Maze ransomware attack, the bad actors encrypted 231 workstations at Medical Diagnostic Lab in New Jersey. The hackers first demanded over $800K in ransom from the lab to unencrypt the stolen data and they demanded a second payment of the same amount to delete the data. When MD Lab didn’t cave to the extortion, the thieves published close to 10GB of stolen PHI.

Brett Callow, threat analyst from Emsisoft, stated that healthcare organizations among the published victims include Stockdale Radiology and Sunset Radiology. Data from a chiropractor in South Dakota is also likely among the stolen and published data of Maze victims.

Past incidents like these have caused delays in service and disruptions, creating possible threats to patient’s health and certainly to patient privacy when their protected health information is exposed. It’s not inconceivable that the hackers could attempt to extort even the patients the data belongs to.

Organizations at Risk, Back Ups Not a Safety Net

On Maze’s unorthodox websites like, close to 30 companies are named as having their data stolen but not having paid up on the ransom bill. Samples of their allegedly stolen data are viewable. Good options are scarce. If a company pays the ransom, who’s willing to trust the thieves can be trusted not to renew the extortion at a later date?

Emsisoft’s Brett Callow says, “Organizations that have data stolen have no good options available to them. Threat actors will promise to destroy data if ransoms are paid - but why would a criminal enterprise destroy data that it may be able to further monetize? The answer is that they probably will not.”

Organizations should also realized they cannot rely on backups as a means of protection against ransomware. While still important for restoring data, backups won’t stop hackers from stealing or revealing data. And in some cases, such as Ryuk, the malware corrupts backups as well. (See our article The Year of Rising Ransomware, Ryuk Wields its Own Unique Nastiness.)

Are There Any Safety Nets?

Most conventional security tools are not equipped to defend against these types of sophisticated attacks. But that doesn’t leave companies without options.

What Can Businesses Do to Protect Themselves from Maze?

  • Follow best security practices
  • Educate employees about phishing – this maybe the best preventative measure you can take
  • Enable two-factor authentication on network devices and systems
  • Follow password management policy that enforces regular updates with strong password requirements
  • Ensure your third party vendors follow your security standards
  • Implement a reliable back up and recovery system, protected from network access
  • Protect applications and memory

Virsec’s Unique and Effective Application, Runtime and Memory Protection Stands Up to Ransomware

Virsec takes a unique approach to guard-railing your applications and countering a broad spectrum of cyber attacks, including ransomware attacks.

Only Virsec Security Platform Delivers:

  • Protection of application workflows, processes, file systems, libraries, memory and more at runtime
  • Precise attack remediation and automation early in the attack cycle without need for expert analysis or machine learning
  • Deterministic threat detection based on request deviations initiated by malicious code, remote hackers, files and trusted processes no matter how attacks originate.

Don’t leave your organization’s future to chance. Learn more about Virsec now.

Further resources

Solution Brief: Ransomware Protection

Watch 2-Minute Virsec Story

Virsec’s Message-Security Guy TV Episode 1486, RSA 2020 Pre-Show Interview with Willy Leichter

The Year of Rising Ransomware, Ryuk Wields its Own Unique Nastiness

MegaCortex Ransomware Worsens — Hackers Change Users’ Passwords & Make Blackmail Demands 

MegaCortex Malware Strikes Business Networks, Does Damage Both as Ransomware and Disk Wiper