Maze Ransomware Victim’s data revealed

Recently various successful ransomware attacks are observed, of which Maze Ransomware tops the list. Threat Actors behind Maze Ransomware is attributed as TA2101 by Proofpoint and APT-29 by Talosintelligence.The Maze team is publicly exposing victims by displaying real files exfiltrated from their hacked servers. Threat Actors supposed to have registered the domain mazenews[.]top to release the exfiltrated data.

Recent incidents:
Over the past several months, Talos Incident Response responded to several such incidents, where an adversary gained access to an environment, deployed ransomware, and exfiltrated large amounts of data, combining elements of ransomware and doxxing attacks into a single incident.

In one incident, the attacker leveraged CobaltStrike after obtaining access to the network. CobaltStrike is a widely used framework for offensive and red-teaming, which is also commonly used by adversaries to attack their targets. Once the adversary has access, they spend at least a week laterally moving around the network and gathering systems and data along the way. Combined with CobaltStrike, the actor used a technique commonly associated with APT-29, leveraging a named pipe.

Victims List:

On December 11, the group behind the Maze ransomware established a website where victims who refused to pay the ransom were shamed and leaked victim information stolen by the group was exposed.

• Andrew Agencies Ltd, https://www.andrewagencies.com/  – Insurance, Canada
• Southwire, https://southwire.com  – Wire Manufacturing, USA
• DV-GROUP, https://dv-group.com  – Industrial Engineering, France
• Сutrale, https://www.cutrale.com  – F&B, USA
• MASSEY, https://masseyservices.com  – Pest control, USA
• LFNDIST, https://lnfdist.com  – F&B, USA
• Nfm Filter, https://www.nfm-filter.com/  – Manufacturing, USA
• Greccoauto, https://greccoauto.com  – Transport, USA
• United Imaging, https://www.united-imaging.com/  – Healthcare, China
• MitchCoinIntarnational, http://mitchcointernational.com – F&B, USA
• RBC, https://asgsys.com  – ITServices, USA
• CBW, https://www.bakerwotring.com  – Legal, USA
• BILTON, https://www.biltongroup.com  – Lighting, Austria
• Groupe Igrec, https://igrec.fr  – Financial Services, France
• Vernay, https://vernay.com  – Engineering, USA
• Randalegal, https://www.randalegal.com/  – Legal Service, Czech
• THEONE, https://theone.com  – Furniture, UAE
• Groupe Europe Handling SAS, https://groupe-europe-handling.fr/  Transport, France
• City Of Pensacola, https://www.cityofpensacola.com/  – USA
• Bird Construction, https://www.bird.ca  – Construction, Canada
• Busch’s Inc., https://www.buschs.com/  – F&B, USA
• Fratelli Beretta, https://ratelliberetta.com   – F&B, ITALY
• MDL, http://www.mdlab.com – Healthcare, USA
• Continental NH3 – Engineering, USA
• Einhell – Manufacturing, Germany

This trend of achieving maximum monetary gain for their nefarious activities is increasingly common in the crimeware space, as demonstrated by the proliferation of emotet and the millions and millions of dollars in damage that have followed. Expect adversaries to be increasingly aware of the systems and networks they are compromising as all systems and networks are not created equally and some have much higher profit margins, when compromised.

Indicators of Compromise (IoCs):
HASHES:

CobaltStrike

• 51461b83f3b8afbcae46145be60f7ff11b5609f1a2341283ad49c03121e6cafe
• 3627eb2e1940e50ab2e7b3ee703bc5f8663233fe71a872b32178cb118fb3e2d9

Maze Ransomware

• 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e
• 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
• 1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78
• 153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57
• 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9
• 30b72e83d66cbe9e724c8e2b21179aecd4bcf68b2ec7895616807df380afab54
• 33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502
• 4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d
• 5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
• 58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806
• 5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353
• 6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13
• 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af 
• 822a264191230f753546407a823c6993e1a83a83a75fa36071a874318893afb8
• 83f8ce81f71d6f0b1ddc6b4f3add7a5deef8367a29f59b564c9539d6653d1279
• 877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1
• 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1
• 9751ae55b105ad8ffe6fc5dc7aea60ad723b6df67a959aa2ea6f4fa640d20a71
• 9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1
• 9be70b7fe15cd64aed5b1adc88c2d5270bce534d167c4a42d143ae0059c3da1c
• b30bb0f35a904f67d3ac0082c59770836cc415dc5b7225be04e8d7c79bde73be 
• c040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc 
• c11b964916457579a268a36e825857866680baf1830cd6e2d26d4e1e24dec91b 
• ea19736c8e89e871974aabdc0d52ad0f0948159d4cf41d2889f49448cbe5e705 
• ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2 
• F491fb72f106e879021b0bb1149c4678fb380c255d2ef11ac4e0897378793f49 
• fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f

IP ADDRESSES:

• 91.218.114[.]4
• 5.199.167[.]188
• 185.147.15[.]22

References:

• https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html
• https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us

Contact: https://www.linkedin.com/in/dinesh135kumar/