DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Ransomware victims keep paying, and ransomware groups keep growing

Posted on June 13, 2020 by Dissent

Graham Cluley writes:

The City of Florence in northern Alabama has agreed to pay a ransom of US $300,000 worth of Bitcoin to hackers who compromised its computer systems and deployed ransomware.

At an emergency meeting this week, the Florence City Council unanimously voted to give in to the extortionists’ demands and pay the cybercriminals behind the attack.

Read more on HotForSecurity. As a public entity, I would guess that the payment would eventually become public knowledge, but it doesn’t help when people see that victims are willing to pay — it may just encourage more potential ransomware operators to become an affiliate or team up with an established ransomware group.

This past week, we have seen evidence of what looks to be like a growing criminal organization:  Maze Team announced that it had collaborated with other ransomware teams. One of the listings on Maze’s ‘name and shame’ site involved Ragnar ransomware. On the Ragnar operator’s blog, they link to Maze’s listing for ST Engineering with a note “Provided by Maze.” But it is not yet clear what exactly Maze provided in the way of help.  Maze had previously attacked ST Engineering in March of 2020. It appears, however, that there was a second attack in May of 2020 that also involved Ragnar.

But the Ragnar collaboration is not the only other ransomware collaboration Maze Team noted recently. Another incident, involved LockBit ransomware, was also noted on Maze’s website. That incident involved an architectural firm, the Smith Group.

Those collaborations — whether you view this all as a syndicate, a cartel, a RICO enterprise, or whatever — appears to be only the beginning. The signs of growing  criminal organization are all there, with various threat actors reaching out to find partners, or contractors, offering splits like 70/30 or 80/20 down the road.

To the extent that Maze has had a lot of experience and seems to have a working system/panel for tracking what they are doing and coordinating, they seem well positioned to take point and to faciliate wannabe ransomware threat actors who have less supports or organization. They also somewhat established themselves as leaders and innovators by developing the double-ransom model (one ransom for decrypting, one ransom for destroying exfiltrated copies of data) and for using a “name and shame” site to increase pressure on victims by public exposure and publicly dumping some of the victim’s data.  More recently, the Sodinokibi (REvil) team has introduced its own twist: an auction platform where people can bid on databases from victims who would not meet their demands.  So far, no one bid on either of their first two auctions, so they wound up just dumping the data publicly. What will happen with other auctions remains to be seen.

Maze collaborating with others has benefits for them but also poses risks. As but one example, if others they collaborate with should not adhere to promises made to victims, it will come back to bite Maze by future victims not believing them.   But for now, I think we all need to buckle up and expect these different ransomware groups to start collaborating more. We should also expect more ransomware teams to open up their own websites to name and shame, or to use Maze’s platform to put pressure on their victims.

Bottom line: I expect it’s going to get a lot worse out there before it gets better.

Category: Commentaries and AnalysesGovernment SectorMalwareSubcontractorU.S.

Post navigation

← Electronic Waveform Lab reports ransomware incident
FL: Cano Health Advises Patients Of Breach That Began Two Years Ago →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.