[Heads-up. This Is Ugly] After Refusing The Maze Ransomware Payment, Their Stolen Data Was Leaked

MAZE-RANSOMWAREAfter a deadline was missed for receiving a ransom payment, the group behind Maze Ransomware has published almost 700 MB worth of data and files stolen from a security staffing firm. Our friend Larry Abrams at Bleepingcomputer was told this is only 10% of the total files stolen and the rest will be released if a payment is not made. This is an unfortunate story and one that Bleepingcomputer does not enjoy telling, but with Maze's actions it is important to be told because this is something everyone needs to be aware of.

Ransomware Infection = Data Breach

With this escalated attack, ransomware victims now need to not only be concerned about recovering their encrypted files, but what would happen if their stolen unencrypted files were leaked to the public, and the fact that ransomware infections by now probably should be disclosed as a data breach with all related consequences. 

MAZE Ransomware Crew Contacts Bleepingcomputer

Maze is a ransomware infection that been operating for some time, but has become increasingly more active since May 2019. The group of actors behind Maze are also more known and were labeled as TA2101 after conducting numerous malspam campaigns that impersonate government agencies.  

Here is what the criminals wrote:

"I am writing to you because we have breached [REDACTED], downloaded data and executed Maze ransomware in their network.

They were asked to pay ransom in order to get decryptor and be safe from data leakage, we have also told them that we would write to you about this situation if they dont pay us, because it is a shame for the security firm to get breached and ransomwared.

We gave them time to think until this day, but it seems they abandoned payment process.

I uploaded some files from their network as the data breach proofs. If they dont begin sending requested money until next Friday we will begin releasing on public everything that we have downloaded from their network before running Maze."


There was evidence attached, a small sample of file that were allegedly stolen from the victim. In further conversations, the Maze actors told Bleepingcomputer that they encrypted 'a lot' of computers and are demanding 300 bitcoins, or approximately $2.3 million USD, to decrypt the entire network.

Abrams commented: "Furthermore, with ransomware actors actively searching through files on a victim's machines in order to further extort their victims, in many cases these attacks should now be considered data breaches. This leads to an escalated cost of dealing with breach notifications, hiring data breach lawyers, and the potential lawsuits that may follow. It is too soon to tell if this tactic will prove fruitful, but this is definitely something we will need to keep an eye on going forward."  

Unfortunately we agree, this is a new escalated reality that is setting in. 

How Does Maze Get Inside?

Apparently these are sophisticated players. They are known to use exploit kits, so make sure you have all the latest Windows security updates installed and that your applications are updated to the latest versions. Apparently they are also using hacked RDP services so make sure those are also locked down tight. I would not be surprised if they use phishing as well. 

Five Things You Can Do About This Right Away:

  1. When is the last time you tested the restore function of your backups? You want to do that ASAP, and make sure you have weapons-grade backups at all times.
  2. Scan your network to identify any open RDP ports and ideally disable RDP completely on all Windows machines if possible. By default, the server listens on TCP port 3389 and UDP port 3389.
  3. Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings, including limiting or disabling access to shared folders and clipboards from remote locations.
  4. An RDP brute force approach does open the attacker’s information to the targeted network, so automate the process of parsing the Windows Event Viewer logs, find any compromised user accounts, identify the IP address of the attacker and block that.
  5. Do a no-charge Phishing Security Test and find out what percentage of your users is Phish-prone. Use that percentage as a catalyst to start a new-school security awareness training program, which—by survey—your users are actually going to appreciate because it helps them stay safe on the internet at the house. PS, the password is  "homecourse". It's free. 

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews