In the 1st century BC, a small island of Pharmacusa (Farmakonisi) became a scene of one of the most infamous ransom extortions in history. According to Plutarch, a Roman commander Julius Caesar had to pay 50 Talents of Roman Currency to Sicilian pirates to be released. Through the next 2,000 years, rulers offered to fill rooms with gold or flotillas with silver as ransom. And even by this day, the entire cities and states can be held hostage, while governments pay millions to rescue the infrastructure. If one will need to describe the 2019 threat landscape with only a few words, "ransomware" will definitely be one of them.
The sharp rise of this menace is reshaping the entire cyber domain, filling the headlines with news about attacks against high-profile public and corporate networks. The underground community reacts by developing multidimensional structures of criminal alliances, shadow auctions, trusted groups, secretive relationships, and partnerships designed to maximize the revenue of the expanding ransomware market. These fragile unions bring together experts from all across the darkweb, who join the efforts to attack the most secure and lucrative targets.
Who are these Sicilian pirates and Pizarro conquistadors of the digital realm? Through this research series, AdvIntel offers a deep-dive into the cobweb (labyrinth) of organizational, political, and financial relationships between ransomware syndicates. By examining the stories of hacker groups and talented DarkWeb criminals, we will display how the ransomware ecosystem is becoming more complex, interconnected, and organized, while these groups themselves evolve from individual network intruders into perfectly balanced mechanisms of advanced digital crime.
REvil, MegaCortex, Truniger (TeamSnatch), Nemty, Clop, BitPyLock - these ransomware groups are different in their origin, scale, and methods; however, one thing unites them all - before encrypting the victim’s data they steal it and then threaten the victim to publish sensitive files. Today almost any ransomware note contains this “leak data” threat, and we begin to observe the ransom blackmailing as a new normal. A few months ago, however, no one within the underground community approached such an efficient scheme seriously. What has changed?
In December 2019, the MAZE (Maze) ransomware group published a portion of the 120 GB of data they claimed to have stolen from a North American prominent wire and cable manufacturer after the company refused to pay a ransom.
"Represented here companies do not wish to cooperate with us, and are trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!" - said the disclaimer.
This was a game-changer. The Maze team kept publishing data of high-profile companies all across the globe and from all verticals and jurisdictions. They established an entire infrastructure of publishing resources, talked to the media, and made numerous comments and remarks. Loud and aggressive, Maze rapidly caught the attention of both the tech industry and the security sector.
The precedent was set and through the next months, the new generation of ransomware leaders including REvil and Clop left the niche cluster in which the community kept them for over a decade. These new underground top-dogs meticulously investigated the reality beyond rigid code frameworks, and immediately added new layers to their criminal plans, exploiting fear, public shame, and reputational costs.
Maze pioneered this path and reshifted the entire craft of digital extortion to “ransomhack” attacks.
Maze: Social, Technical, Organizational Crime Nexus
Maze Ransomware was discovered in May 2019 but has truly reached the headlines in November 2019. What made them unique was its reliance on social impacts to achieve results. Where other ransomware gangs experimented in adding network intrusion to their technical instrumentary, Maze added an entirely new layer to the crime scene - a layer of human feelings.
The human factor is an essential part of security and crime. Socially-oriented tactics like spearphishing and scamming were an inherent component of cybercrime since the beginning of the digital underground. Maze added manipulation, intimidation, and targeted reputational attacks to this equation, establishing an innovative methodology of efficiently exploiting the social fabric for their gain.
Of course, they were not the first. In November 2015, Chimera Ransomware was reported to be targeting companies in Germany while claiming to not only encrypt the data but leak private information. In 2015-2016 a group of hackers known as The Dark Overlord (“TDO”) leveraged aggressive exploitation of the essential social discourse, such as the 9/11 terrorist attacks, US government policies, family relationships, and reputational and legal responsibilities for data privacy violations.
Moreover, there were objective factors that made the social capitalization of cybercrime more efficient. Data privacy that used to be a functional aspect of information technology became a focal point of social discussion. On May 25, 2018, European states have implemented the GDPR (General Data Protection Regulation) compliance act. It is not accidental that on June 25, 2018, a month after, a new ransom scheme called “ransomhack.” has been reported by a Bulgarian Cybersecurity Firm “Tad Group”. A year later, REvil, who followed the Maze lead openly referenced the GDPR as a reason for them choosing the ransomhack approach.
Image 1: After Maze began publishing stolen data, REvil followed their example. They stated that if the victims would not comply with the ransom demands the data would be published forcing the victims to deal with all the consequences of the GDPR violation.
However, Maze differed from other groups - their syndicate introduced a solid and holistic strategy for blackmailing. They had a website, were communicative with researchers, reached out to the media, published a manifesto… For this group, the publishing extortion was not simply a method to amplify the revenues, it became their unique style, craft, and a way of life.
In comparison to the other groups, in May 2019, a ransomware collective SnatchTeam published files of a German IT company Citycomp after the victim declined to pay the ransom. This was the closest case to Maze extortion. But SnatchTeam never had a clear vision of integrating publishing extortion into their strategy.
Through a course of AdvIntel actor engagement with the head of the SnatchTeam stated:
"yeh, I remember this case: their data was kept on a server, after a while, we just dumped them [the files], because they became redundant".
Interestingly enough, Maze also started with the same sporadic and disorganized approach to victim threats. In November 2019, the group published their threats and demands via one prominent Russian-language and English-language underground darkweb forum. However, only after a couple of weeks, the team abandoned this idea and went to the public.
Image 2: Maze initially used the darkweb forum to publish victims’ data; however, on November 29, 2019, the Maze team member deleted all of their comments.
Today the group is a highly-organized syndicate with the hierarchical systems from media engagement personas to the network exploitation actor. Some of them exhibit native English-language skills, while the rest of the operator group speak Russian natively with the leak site comments in the Russian language.
Image 3: Maze issued a manifesto proclaiming their philosophy analogizing themselves to Assange and Snowden.
Maze Ransomhack Group: Strategy Defines the Tactics
To support their ambitions of becoming the for-profit Edward Snowden (the group often references him in their manifesto) Maze had to develop congruent tactics that would include a combination of technical skill and, of course, social engineering.
For instance, Maze creates malicious sites mimicking cryptocurrency websites as well as malspam campaigns impersonating government agencies and well-known security vendors. In these campaigns, Maze most often relies on phishing emails mimicking such known entities like the USPS, Italian Ministry of Taxation, 1 & 1 Internet AG, and even the German Finance Ministry. The emails contain a Cobalt Strike (Beacon) payload. During their attack against users in Italy, the group sent emails impersonating the Italian Revenue Agency. The emails obligated victims to comply with new guidelines issued by the Agency and contained the “VERDI.doc” attachment with the alleged guidelines.
Execution of a payload and the initiated Cobalt Strike session enables the attacker to navigate within the victim’s environment. This serves the double purpose - to encrypt the local files and to hiddenly steal sensitive data for future blackmailing.
On a technical level, Maze campaigns emphasize RDP compromises and exploit kits through their distribution campaign. Specifically, Maze distributed via the Spelevo Exploit Kit targeting known vulnerabilities in Internet Explorer and Adobe Flash (CVE-2018-8174, CVE-2018-15982, and CVE-2018-4878.) Later the group was observed using the Fallout and Spelevo exploit kits. Criminals have also established a fake Abra cryptocurrency website and used it to buy traffic from ad networks and redirect visitors to an exploit kit landing page under certain conditions.
As they emphasize extortion via publishing threats, Maze meticulously investigates their victims to achieve maximum leverage in blackmailing. According to various security researchers, Maze's distinctive feature is its ability to define if the victim’s machine is a home computer, workstation, domain controller, server, which will result in higher or lower ransom demands. Maze operators often examine the environments manually and are likely to define the ransom based on the type of systems infected. The size of the ransom demands thus may vary from $500 - $1,000 USD for average victims to millions of dollars demanded from the victims of selective attacks.
Image 4: Maze ransomware command line arguments.
Image 5: Maze ransomware decoded note.
Crime, including cybercrime, is expansionist by its nature. It strives for new revenues, new jurisdictions, and new realms. Social relationships, political ideologies, and legal frameworks, fears, doubts, and shame - all these constructs are now included in the cybercriminal’s daily considerations.
Maze did not only establish a new image, but it also proved how strong societal leverage could be, setting a vivid example. Social engineering is not limited to spearphishing emails; ransomware is not only mechanical dissemination of payloads. Maze proves that talented cybercriminals learned to merge the triad of social, organizational, and technical, into the same organic network. This amplifies their capabilities and requires a symmetrical security response that will not ignore the vicissitudes of our societies.
Unfortunately, in the days of the increasing social and political tensions and rising panic, we will observe more of this social exploitation emerging as this ransomhack phenomenon as ransomware intrusions are, in fact, data breaches amplified by extortion. The new age of “ransomhack” incidents is imperative to treat and investigate ransomware matters as possible data breaches to mitigate and understand the scope of the intrusions operations.
AdvIntel's elite human intelligence investigators provide advisory services that go beyond the framework of standard intelligence reporting. Such services include incident response and extortion retainer services, advanced threat actor engagements, insider threat investigation, advanced malware reverse engineering, training on standing and prioritized intelligence requirements, targeted investigations of advanced persistent threat groups, and long-term research into high-profile threats.