A few days ago cybercriminals behind Maze Ransomware took the responsibility for Pensacola cyberattack and soon after that they published a whole list of their victims which includes eight names of companies on their website.
On Friday, security firm Emsisoft told IBTimes Singapore that an US-based company called Fratelli Beretta has been listed on Maze's site for five days and the hackers have revealed all the stolen data. It can be believed that the attackers may be waiting to see whether the cyber threat of its release would push the company into paying.
The Maze ransomware
The operators of the ransomware stated that they were responsible for encrypting the Pensacola city's data and have demanded a $10,00,000 ransom for a decryptor. They shared documents which were stolen from the city but did not state if they have given a deadline to Pensacola or will release them. As per Emsisoft, it is the first ransomware incident in which data was exfiltrated as well as encrypted.
After attacking the city, the hackers behind the Maze ransomware recently made a list of their next victims and shared the names on the website. It says, "Represented here companies don't wish to cooperate with us and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!"
Earlier an Emsisoft spokesperson, Brett Callow said, "This is a concerning development and, as we stated in our recently-released report, we consider the threat level to now be extreme. Every ransomware incident now has the potential to be a data breach, and so prevention and detection are more important than ever. We expect ransomware groups to continue using stolen data as leverage at least into early 2020. Whether the approach continues in the longer term depends on whether it's proved to be more successful than encryption-only attacks."
Maze dumped data
A researcher at Emsisoft, Michael Gillespie told IBtimes Singapore that "The Maze group is one of several that are now exfiltrating data prior to encrypting it. The most likely reason for this switch in tactics is that it's a form of A/B test to see whether the extra threat of data being made public results in more companies paying ransom demands. Of course, in these situations, bad actors may also be able to monetize the stolen data should the victim not pay - or, perhaps, even if they do pay."
Gillespie also stated that it would be a serious mistake if we assume that criminal enterprises will keep their "pinky-promises," especially if they have managed to acquire critical documents or other important data.
As per the researcher, it means that "the prevention and detection are more important than ever. Once data has been stolen, there's no way to get it back. As for me being specifically mentioned in the ransomware's code, this is not at all uncommon. The code very often contains messages, misattributions, misdirections and sometimes even threats. In fact, I almost view it as a compliment - it shows that my work is annoying the bad actors!"