Maze has seemingly done such a good job getting media attention that we’re also seeing more analyses of their methods.
This week, check out this report from FireEye: Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents
and this report from Sophos: Maze ransomware: extorting victims for 1 year and counting
In other Maze-related news this week, the threat actors continue to add new victims to their website where they name victims who have not paid their ransom demands and where they dump data to increase pressure on victims.
Of note this week, Cognizant revealed in an earnings call that it is taking a financial hit to the tune of $50-70 million from Maze’s ransomware attack, even though the attack itself did not have a significant impact on their systems.
Also of note this week: a U.K. publication reports that Maze team has been found to be operating out of Georgia and that the threat actors are associated with the Kremlin and Russian security services.The publication does not provide any specific sources to support their reporting or even give the basis for the report, other than “it is understood” kind of thing.
Could Maze Team be Russian? Sure, and some of their data dumps reveal Russian screens. But if they are associated with the Kremlin or Russian security services, then can U.S. entities pay any ransom demands? If word that Maze Team is affiliated with the Kremlin spreads and cyberinsurers become aware of the report, will the insurance companies refuse to authorize payments under their insured’s insurance policies?
Suppose all the U.S. victims were to say, “Sorry, but our insurance won’t cover us for paying you, so…..”
Note that I don’t necessarily believe the U.K. publication’s reporting as they don’t provide any sourcing for it. But I’ll be watching to see if any sourcing or evidence is published.