Maze Ransomware Hackers Extorting Providers, Posting Stolen Health Data

February 04, 2020 - Recent reports have shown the hacking group behind Maze ransomware has been steadily posting the data of its victims online after the organizations fail to pay the ransom demand. A compiled list of victims shows the data of several healthcare organizations are included in those postings, despite a lack of public reporting of those incidents.

The FBI issued a warning in early January that the hackers behind Maze ransomware have increased targeted attacks on the private sector. In these attacks cybercriminals pose as legitimate security vendors or government agencies to encrypt and steal data.

Maze is just one of several hacking groups that have taken to either threatening to or extorting and posting public data for sale on dark markets, including the hacking groups behind ransomware variants like Sodinokibi and DoppelPaymer.

Beginning late last year, the Maze hackers began notifying sites like DataBreaches.net that it exfiltrated the data from its victims during the ransomware attacks and had been holding onto that sensitive information to later publish, if those organizations did not respond to their extortion demands.

In one of the most notable cases, Southwire, a cable and wire manufacturer out of Georgia, fell victim to Maze ransomware and refused to pay the $1.7M or 200 BTC demand. The hackers then went on to publish the stolen data, which prompted Southwire to file for an emergency injunction to force the hackers to remove the stolen data from online and bar the hackers from posting more.

READ MORE: Is Healthcare Prepared to Respond to Cyber Threats Beyond Ransomware?

The site was taken down in less than 24 hours after the judge issued the order. However, Maze hackers registered two site domains and continued publishing the stolen data from Southwire. The data is still available for download, and since that time, the hackers have continued to publish a steady stream of stolen data.

According to Brett Callow, a threat analyst from Emsisoft, the healthcare organizations among the published victims include Stockdale Radiology and Sunset Radiology. There also appears to be data from chiropractor Scott A. Hourigan, MD in South Dakota that is mis-labeled as data from a company called Ramtek.

One of the largest medical data postings appears to be from New Jersey’s Medical Diagnostics Laboratories (MD Lab). The Maze hacker’s website claims that it encrypted 231 workstations during a cyberattack. When MD Lab refused to pay the extortion demand, the hackers went on to publish 9.5 GB of research data in an attempt to force negotiations with the provider.

In total, allegedly 100 GB of data was stolen from MD Lab. Maze hackers demanded 100 BTC, or $832,880, for the release of the keys that would unlock the stolen files. Another 100 BTC was demanded to destroy the data.

About 29 companies are listed on the Maze website as organizations that have not paid the hackers. And the actors still have samples posted of the data they have claimed to have stolen.

READ MORE: FBI Alerts to Rise in Maze Ransomware, Extortion Attempts

“Organizations that have data stolen have no good options available to them,” Callow wrote. “Threat actors will promise to destroy data if ransoms are paid - but why would a criminal enterprise destroy data that it may be able to further monetize? The answer is that they probably will not.”

“There has been a definite uptick in ransomware attacks on healthcare providers over the last 12 months, but it’s impossible to estimate the frequency with which those attacks succeed,” he added. “That’s primarily because breaches only come to light if organizations, or sometimes threat actors, disclose them, and we know that does not always happen.”

These incidents spark service disruptions and increase the risk of patient health information being exposed, as well as possible extortion attempts on the people actually connected to the stolen data, Callow explained.

A prime example of this was seen with a January hack of Richard Davis, MD, who operates The Center for Facial Restoration. Patients actually reported receiving extortion demands from the hackers after the provider refused to pay the ransom to release the medical data they stole during the cyberattack.

While Davis was forthcoming with patients about the attack, Callow explained that there is ample evidence to suggest that not all data breaches are disclosed in the healthcare sector.

Further, relying on backups is no longer seen as the best protection against ransomware, as these attacks prove. Backup data is indeed still crucial to restoration, it does not guarantee the hacker has not exfiltrated information.

As a result, Callow explained that providers need to also focus on detection and prevention methods, as “once data is out there, it’s out there. Providers need to ensure that does not happen.”

“Moving forward, healthcare providers should expect more attacks and more sophisticated attacks,” Callow said. “Because healthcare providers provide critical services, they may be more likely than other organizations to pay ransom demands due to the need to recover their systems in the shortest possible time. This makes the sector an attractive target.”

“Providers should assume that their perimeters will be breached and monitor their environments for signs of compromise,” he added. “Threat actors typically have access to a network for a week or more prior to deploying to ransomware, which means providers have a window of opportunity in which to detect and neutralize threats before data is exfiltrated or encrypted.”