DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Ransomware victims keep paying, and ransomware groups keep growing

Posted on June 13, 2020 by Dissent

Graham Cluley writes:

The City of Florence in northern Alabama has agreed to pay a ransom of US $300,000 worth of Bitcoin to hackers who compromised its computer systems and deployed ransomware.

At an emergency meeting this week, the Florence City Council unanimously voted to give in to the extortionists’ demands and pay the cybercriminals behind the attack.

Read more on HotForSecurity. As a public entity, I would guess that the payment would eventually become public knowledge, but it doesn’t help when people see that victims are willing to pay — it may just encourage more potential ransomware operators to become an affiliate or team up with an established ransomware group.

This past week, we have seen evidence of what looks to be like a growing criminal organization:  Maze Team announced that it had collaborated with other ransomware teams. One of the listings on Maze’s ‘name and shame’ site involved Ragnar ransomware. On the Ragnar operator’s blog, they link to Maze’s listing for ST Engineering with a note “Provided by Maze.” But it is not yet clear what exactly Maze provided in the way of help.  Maze had previously attacked ST Engineering in March of 2020. It appears, however, that there was a second attack in May of 2020 that also involved Ragnar.

But the Ragnar collaboration is not the only other ransomware collaboration Maze Team noted recently. Another incident, involved LockBit ransomware, was also noted on Maze’s website. That incident involved an architectural firm, the Smith Group.

Those collaborations — whether you view this all as a syndicate, a cartel, a RICO enterprise, or whatever — appears to be only the beginning. The signs of growing  criminal organization are all there, with various threat actors reaching out to find partners, or contractors, offering splits like 70/30 or 80/20 down the road.

To the extent that Maze has had a lot of experience and seems to have a working system/panel for tracking what they are doing and coordinating, they seem well positioned to take point and to faciliate wannabe ransomware threat actors who have less supports or organization. They also somewhat established themselves as leaders and innovators by developing the double-ransom model (one ransom for decrypting, one ransom for destroying exfiltrated copies of data) and for using a “name and shame” site to increase pressure on victims by public exposure and publicly dumping some of the victim’s data.  More recently, the Sodinokibi (REvil) team has introduced its own twist: an auction platform where people can bid on databases from victims who would not meet their demands.  So far, no one bid on either of their first two auctions, so they wound up just dumping the data publicly. What will happen with other auctions remains to be seen.

Maze collaborating with others has benefits for them but also poses risks. As but one example, if others they collaborate with should not adhere to promises made to victims, it will come back to bite Maze by future victims not believing them.   But for now, I think we all need to buckle up and expect these different ransomware groups to start collaborating more. We should also expect more ransomware teams to open up their own websites to name and shame, or to use Maze’s platform to put pressure on their victims.

Bottom line: I expect it’s going to get a lot worse out there before it gets better.

Category: Commentaries and AnalysesGovernment SectorMalwareSubcontractorU.S.

Post navigation

← Electronic Waveform Lab reports ransomware incident
FL: Cano Health Advises Patients Of Breach That Began Two Years Ago →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation
  • Qilin Offers “Call a lawyer” Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.