Cybercrime Gang’s ‘Naming and Shaming’ Ties to Pressure Victims Into Paying
Criminals often pursue any angle that gives them greater leverage against potential victims.
The gang behind Maze ransomware, for example, is trying to up the psychological ante against victims that have refused to pay its ransom demand in exchange for the promise of a decryptor. By publicly identifying these organizations, and releasing a list of crypto-locked systems and a sample of filenames, Maze is attempting to convert prospective “clients” into paying customers (see: Ransomware Gangs Practice Customer Relationship Management).
“The data is unimportant to them. They don’t want to monetize it on its own, but to use it purely as leverage to get the company to pay the ransom.”
The gang has posted teasers of stolen information to its “Maze Team” website over the past two days. “Represented here companies don’t wish to cooperate with us, and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!” the site reads.
The intent is clear: By naming and shaming victims, the Maze gang is trying to psychologically compel them to pay.
I’m not going to link to the site, since it furthers the gang’s aims. But so far, the gang has listed eight organizations, all of which it says fell victim to attacks that are “lock dated” from Oct. 21 to Dec. 9.
The Maze gang also claims to have exfiltrated data from the organizations, ranging from auditing spreadsheets and mutual confidentiality agreements to documents detailing privileged accountholders and patent applications. Total amounts of data stolen range from 1.5 GB to 120 GB. The victim organizations are located in Canada, France, Italy, the U.K. and the U.S.
Maze Has Form for Exfiltration
The Maze gang’s claim that it exfiltrated data from organizations that it crypto-locked couldn’t be verified. Such activity is extremely rare.
Except that last month, the Maze gang did publish almost 700 MB of data that it stole from Allied Universal, a California-based security services firm, as Bleeping Computer reported (see: Ransomware Attackers Leak Stolen Data).
The “Maze Crew” told the security publication and ransomware victim support site that the leak only represents a fraction of the 5 GB of data they stole, and that they would dump the rest – sending it to WikiLeaks – unless Allied Universal coughed up a ransom of 300 bitcoins, now worth about $2.1 million. The state of any negotiations remains unclear.
What’s notable here is that the Maze gang didn’t cherry-pick intellectual property or potentially embarrassing information from the stolen Allied information. Instead, it looks like they’re just seeking a further way to potentially embarrass a victim into paying them.
“Maze themselves pointed out that the data is unimportant to them,” Bleeping Computer Editor Lawrence Abrams told me last month. “They don’t want to monetize it on its own, but to use it purely as leverage to get the company to pay the ransom.”
Not Listed: Pensacola
One apparent Maze victim that isn’t on the gang’s list of victims that have not paid is the city of Pensacola, Florida, which was hit on Dec. 7 by a ransomware attack that reportedly involved Maze (see: City of Pensacola Recovering From Ransomware Attack).
Does that mean the city has paid a ransom? So far, that’s not clear. But as ProPublica has reported, the Florida League of Cities provides insurance coverage to more than 550 public entities in the state, including 250 municipalities. For cyber policies, the league’s reinsurer is Beazley, which shares the risk. But it’s not clear if Pensacola holds such a policy (see: Do Ransomware Attackers Single Out Cyber Insurance Holders?).
Regardless, the Maze gang’s attempt to embarrass victims into paying is a well-worn tactic, often seen in sextortion attacks involving criminals threatening to release explicit images or videos of victims (see: Sextortion Scheme: Former U.S. Official Pleads Guilty).
Many types of crime attempt to use one of six “influencing levers,” which are techniques for influencing the subconscious defined by psychologist Robert Cialdini, an expert on the “principles of persuasion.” The levers are reciprocity, commitment and consistency, social proof – copying the actions of others – as well as authority, liking and scarcity.
As McAfee researchers Raj Samani and Charles McFarland write in a “Hacking the Human Operating System” research report: “These influencing levers are used for many purposes – including sales, cons (trying to extract money from people) and social engineering.”
In the case of Maze, the group is obviously attempting to socially engineer victims who haven’t paid into paying. In that respect, while the tools they wield may differ from other cybercrime groups, the intention is the same: To earn the easiest and quickest criminal payday possible, now with added psychological pressure (see: Roses Are Red, Romance Scammers Make You Blue).
What remains to be seen, however, is whether other ransomware gangs will emulate Maze’s tactics.