Operators of the Maze ransomware kept their promise: without receiving a ransom from LG Electronics and Xerox, the attackers published on their website the data stolen from the companies. Thus, the hackers revealed 50.2 GB of data that they allegedly stole from the LG internal network, as well as 25.8 GB of data, allegedly belonging to Xerox.
Let me remind you that since the end of 2019, ransomware developers have begun to “work” according to a new scheme that allows them to receive more money from victims. Basically, they are demanding two ransoms from the affected companies: one for decrypting data, and the other for removing information that was stolen during the attack. In case of non-payment, the attackers threaten to publish this data in the public domain.It all started with the operators of the Maze ransomware, which began to publish files they stole from the attacked companies, if the victims refused to pay. The hackers set up a special website for such “leaks”, and soon other groups followed their example, including Sodinokibi, DopplePaymer, Clop, Sekhmet, Nephilim, Mespinoza, Ako, Netwalker and so on.
LG Electronics and Xerox were likely compromised by the CVE-2019-19781 vulnerability, which affects several versions of the Citrix Application Delivery Controller (ADC), Citrix Gateway, and two older versions of Citrix SD-WAN WANOP”, – information security specialists believe.
This problem was discovered at the end of 2019, and even then, analysts warned that more than 80,000 vulnerable servers could be found in the public domain, so, the problem threatened tens of thousands of companies from 158 countries.
The ZDNet edition writes that judging by the screenshots published by the Maze group at the end of June, as well as by the samples of files from the leak, the information stolen from LG includes the source codes of firmware for various company products, including phones and laptops.
Maze’s operators told reporters that they hadn’t tried to launch an encryptor on the company’s network at all. The hackers simply stole LG’s proprietary data and went straight to the second stage of extortion.
“We decided not to perform [encryption], because they have socially significant clients, and we didn’t want to create problems in their work, so we just stole the data”, — the hackers say.
LG representatives declined to comment on the incident.
Currently it is unknown, how evolved the attack on Xerox. For example, it is unclear which internal systems of the company were affected by the Maze ransomware, and whether encryption was used at all, or the group have chosen only to steal files from the company, as happened in the case of LG.
A cursory analysis of the released data showed that hackers had stolen information related to customer support operations. In particular, ZDNet reporters were able to find data concerning Xerox employees, but have not yet found any data about the company’s customers.
However, the publication notes that due to the large volume of the dump it will take a lot of time to study it in detail.
Let me remind you that LockBit, Maze operators, and Ragnar Locker ransomware have united in a criminal cartel, which has added work to cyber police around the world.