Enlarge / Pensacola was hit by Maze ransomware, which apparently stole data before it was encrypted in other cases.
Paul Harris / Getty Images
An email sent by the Florida Department of Law Enforcement to all Florida county commissioners indicated that the ransomware that hit the city of Pensacola on December 7 was the same malware used in an attack on private security firm Allied Universal, according to a report from the Pensacola Journal. That malware has been identified elsewhere as Maze, a form of ransomware that has also been spread through spam e-mail campaigns in Italy.
Lawrence Abrams of Bleeping Computer reported in November that the Maze operators had contacted him after the Allied Universal attack and claimed that they had stolen company files before encrypting them on the victims’ computers. After Allied apparently missed the ransom payment deadline for the files, the ransomware operators published 700 megabytes of files from Allied and demanded 300 Bitcoins (about $ 2.3 million) to decrypt the network. The Maze operators told Abrams that they always steal victims’ files to use as additional leverage to make them pay:
It’s just a logic. If we reveal it, who will believe us? It is not in our interest, it is stupid to reveal because we cannot gain anything from it. We also delete data because it is not really interesting. We are not a spy group or any other type of APT, the data is not interesting for us.
Theft of data as evidence of a compromise – and thus to encourage payments by ransomware victims – is rare but not new. The RobbinHood ransomware operator who attacked Baltimore City in May also stole files as part of the attack and posted screenshots of some files (faxed documents to the Baltimore City Hall fax server) on a Twitter account to encourage city officials to pay. Baltimore did not pay the ransom.
Data theft opens another problem for ransomware goals that would quietly pay in the past to decrypt their data, because it introduces the possibility of reporting the breach to customers and government regulators. So in some cases it can ironically remove some of the motivation for victims to pay, because their data can be sold by the attackers whether they pay or not.
“Broad targeted” attacks
Maze, Ryuk and other ransomware attacks against government agencies and companies are increasingly moving towards what Raytheon Cyber Services Senior Manager Dylan Owen called a “broadly targeted” attack – relying on spam for the first offense, poking the attackers find out who they’ve violated “before launching the attack.
“They are not necessarily aimed at a specific agency,” Owen told Ars. “The attackers have often received a list of emails from another source, or” have programs that randomly try emails, or combinations of username, first name / last name, middle initial, all kinds of different combinations, “he explained.” They might do a little research when they go for a certain type of organization, but most of the time they are very broad . once they get a beacon back and say, “Hey, someone clicked on my link”, they’re going to find out who it was. “And if the click came from a larger organization rich in goals, Owen said, they move forward.
State and local authorities are particularly vulnerable to this type of attack because of the economic aspects of their IT activities. “They depend on financing through taxes or whatever, and that money can only go that far,” Owen commented. “They also have a predominance of older IT systems because of the lack of funding over the years. So it’s something built on itself. Many of them also have their own software, so it’s not commercial, off the shelf – they hired someone to make a special code, and that code may not work on newer operating systems, so they now have older operating systems that are harder to patch. “
In addition, many government agencies and local authorities have not done the work to separate those vulnerable systems and provide additional defenses to reduce the risk of legacy systems, Owen explained. But he said that is starting to change. “I know in particular with Louisiana, the governor had said that cyber security will be a very big issue for 2020,” he said. “They put a lot of money into it in 2019.” And while Louisiana had to take the drastic step of cutting off many services during the recent Ryuk attack, it was effective in stopping the spread of the attack.