Stolen data purportedly from the government of Prince Edward Island including personal information has been publicly posted on the web site of the ransomware gang known as the Maze group, according to a security researcher.
Brett Callow, a British Columbia-based threat analyst for Emsisoft who has seen the files, said they were posted over the weekend. That’s a week after PEI discovered and stopped a ransomware attack 90 minutes after it started.
Most ransomware attacks only encrypt data before sending a threat notice to victims. The Maze strategy, announced last December, is to first copy as much data as it can before launching ransomware. Then if a victim doesn’t pay it releases some data on its site, as well as the IP addresses and machine names of infected servers, with the threat — implied or direct — that more data will be released if it isn’t paid off.
In the PEI case the posted spreadsheets, PDFs, text and ZIP files are under a headline that reads”Proofs.” Callow says the files he’s seen include person’s names and social insurance numbers, copies of provincial bank statements, audits and budgets.
The PEI data on the public Maze site is one of 10 new victims the attackers allege have been victimized. The sit says “Represented here companies do not wish to cooperate with us, and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!”
IT World Canada sent a message to Spencer Lee, a spokesperson for the PEI finance department last night, for comment. As of press time this morning it hadn’t received a reply.
UPDATE: In an email this afternoon Lee said that “the investigation into the attack is ongoing, and we will continue to communicate openly with our citizens in Prince Edward Island, when appropriate and safe to do so. ”
On February 25th Lee issued a statement saying that two days earlier the government discovered malware on its network. At the time he said there was “no reason to believe that Islanders’ personal information” was affected.
The same day John Brennan, the province’s director of business infrastructure services, told the CBC that this was a ransomware attack that was stopped 90 minutes after being detected.
Brennan said “a very small amount” of data was encrypted, but it was backed up. He didn’t say if the government knew any data had been copied. But the Maze PEI entry alleges 200 GB of data was stolen.
Brennan told the CBC on Feb. 25th the government hadn’t been in contact with the attackers.
Callow said typically attackers get into a network for a week or more before launching malware. That would be enough time to find and copy sensitive data.
“PEI has no good options,” he added. “If they don’t pay the ransom more of the data is likely to be published. If they do pay the ransom the criminals still have the data are quite likely to misuse it.”
Related:
Ontario construction firm victim of ransomware
Those behind Maze have been active since the beginning of the year. According to Emsisoft data Maze has made over 40 successful attacks since January 1 — the most recent are three law firms in the U.S.
The public Maze site has listed a number of alleged successful ransomware attacks, but later some of their names have been erased. That suggests those organizations paid up, Callow said.
Data theft as a weapon for blackmail or ransom is increasingly being added to the toolbox of threat actors because it can increase the odds of payment. An Ontario Provincial Police expert warned municipal infosec pros of that as recently as last October.
Meanwhile another ransomware and data theft threat actor calling itself DoppelPaymer has emerged, saying it has successfully attacked Visser Precision, a Denver manufacturer of precision parts for a number of industries. The group has started publishing files from what it says are a number of Visser customers including Tesla, SpaceX, Boeing and Lougheed Martin. Tech Crunch says Visser has confirmed a data breach.
“So many ransomware groups now do steal data,” Callow noted. “that these incidents should really be regarded as data breaches until they are proven not to be. And people should be notified their data may have been compromised. That way they can take steps to protect themselves.”
He also suspects Maze is using documents it steals from one organization to spear phish its partners.
There’s no one tactic organizations can do to stem the spread of ransomware, he added. A layered approach works best, from credential hygiene to monitoring networks for compromise.
In a January advisory report Trend Micro said there are a number of things infosec pros can do to better protect their organizations from ransomware, including forcing users to strengthen passwords, implementing multi-factor authentication to prevent account takeover, segmenting data and increasing staff training to recognize email threats.