Those who have been watching Maze Team and other ransomware groups are already aware that Maze Team has quietly continued to actively attack entities. Those who do not pay their demands will likely find themselves listed on the threat actors’ website with some of their data publicly dumped for anyone who wants to download it.
Over the past month, the list of victims who have not paid their demands has grown. But if you’re Maze Team, you may not view that list as a growing list of failures on their part, but as a list of successful attacks. However you spin it, we really have no way of knowing how successful their business model actually is. What percent of all their victims are listed on their website? What percent do they need to have pay them to be profitable? If only one victim pays them, but they get millions, isn’t this all still worth their time and effort?
And does listing a victim on the site actually influence victims to pay up? According to their statement to this site, Stockdale Radiology paid up and that was after they had appeared on the site. But MDLab never paid up, even after the attackers started dumping their data.
Last night, Maze Team issued its own “press release.” Some of the points they make seem predictable — statements that are actually warnings to current and future victims that if they don’t pay up, Maze Team will basically do whatever the hell it wants with the data and all the blame should fall on the company that failed to prevent the attack and then was careless after they were attacked.
But in this day and age, when most people say that a breach is not a matter of “if” but rather, “when,” will victim blaming carry any weight at all as a pressure technique? Probably not.
After issuing explanations (cautions), Maze Team turned to media coverage of their work (typo’s below are as in the original):
One more word about the Security “Experts” discussing our activity and our team. We are greately disappointed with those so called Professionals who can’t tell the difference between phishing and lateral movement . We don’t need to use phishing attacks and slowly move from one target to another as we have the access to the to the hosting provider . As long as such so called Professional will work in IT and Security we will have a lot of work.
They also had some caustic comments about some of the network administrators they communicated with about their attacks:
Another word for the IT specialist and network administrators who are tring to hide the information of the data leak from the company’s executives. They are making everything just the worst. We were really shoked by the fact that some network administrators were trying to hide the leak by offering us the access to the data of other companys, access to private laptops of the company’s president or even the naked photos of their boss’es secreteary. Funny but it’s true.
We are not interested in accesing accounts or bitcoin wallets of the company’s executives. We are doing what we are doing and no other proposals are accepted.
What great material that could all be for the talk I’ve thought about doing on how NOT to respond to a breach, but sadly, Maze Team declined to tell me more about these responses. Maybe one day they will…..