In a continuing escalation of its extortion tactics, independent security researcher, Brian Krebs reported on Krebsonsecurity.com that the criminals behind the MAZE Ransomware gang just created a publicly viewable web site listing 8 victims and a limited amount of selected data.
MAZE probably hopes that by increasing psychological extortion pressure they will squeeze current victims who are still undecided) to pay up and they are using this club as a potential warning to warn future victims what could result from not paying particularly when data is exposed. Triggering legal and cost ramifications of reporting and mitigating what would be considered a data breach. We recently discussed this topic in our blog post about REvil last week.
According to Brian, “less than 48 hours ago, the cybercriminals behind the Maze Ransomware strain erected a Web site on the public Internet, and it currently lists the company names and corresponding Web sites for eight victims of their malware that have declined to pay a ransom demand.
Krebs describes the information released publicly so far as “ initial date of infection, several stolen Microsoft Office, text and PDF files, the total volume of files allegedly exfiltrated from victims (measured in Gigabytes), as well as the IP addresses and machine names of the servers infected by Maze. “
It's worth noting that the type of information released so far is not very damaging to the victims, but the public web site makes it very clear that they *might* release much more confidential information.
[“Represented here companies dont wish to cooperate with us and trying to hide our successful attack on their resources,” the site explains in broken English. “Wait for their databases and private papers here. Follow the news!”]
“KrebsOnSecurity was able to verify that at least one of the companies listed on the site indeed recently suffered from a Maze ransomware infestation that has not yet been reported in the news media.”
While threats to leak data are not new it remains to be seen how effective an extortion tool this turns out to be and whether or not this new "threat experiment" will continue or be copied by other ransomware strains.