Maze crypto operators mistakenly attacked the wrong company

The Register reports that Emsisoft specialists found a very interesting attack. Maze cryptographic operators accidentally attacked the wrong company.

Maze attacked a New York-based architectural and construction firm, although they intended to launch an attack on the Canadian Standardization Association.

The fact is that if you search “csa group” on Google, almost all search results will be related to the Canadian Standards Association (CSA), but there is one exception: the CSA Group, an architectural and construction company from New York.

So it happened that this company bears almost the same name as the Canadian Standardization Association and uses an almost similar domain: csagroup [.] Com, while the association belongs to the csagroup[.]org domain”, – says The Register.

Because of this coincidence, ransomare attacked the company. Recall that the Maze malware not only encrypts files on infected machines, but pre-steals data from victim networks, which hackers then use as leverage.

Brett Kallow, an analyst with Emsisoft, discovered a hacker error when he examined a dump published on the ransomware website that they made public in an attempt to threaten the hacked CSA Group and forcing the company to pay a ransom.

The researcher checked the files and found among them documents related to the design and construction of buildings in Puerto Rico.

Some files seem to have been sent from the mailboxes to csagroup[.]com, which indicates that the architects, not the Canadian Standardization Association, were victims of the ransomware”, — says Brett Callow.

The analyst writes that this is not the first such case of the wrong attack. Earlier, experts observed how the operators of the DoppelPaymer ransomware attacked the wrong bank because the names of the two financial institutions turned out to be similar. Callow notes that the creators of DoppelPaymer at least had the decency to publish an apology and admit their mistake.

Emsisoft expert believes that the reason for the Maze operator’s mistake was working in stressful conditions, because the COVID-19 pandemic effectively deprives the company of cash and therefore an opportunity to pay ransomware to operations. He notes that the group alluded to this in one of his recent posts, which says:

We live in the same economic reality as you. That is why we prefer to work within the framework of agreements and are always ready for compromises.”

On the Maze website, next to the data dump, is still listed the name of the wrong company. Journalists of The Register attempted to contact representatives of the CSA Group (New York architects), but this turned out to be difficult, as the company switched off its site and is almost inactive on social networks.

How can I not recall that Maze, LockBit, and Ragnar Locker ransomware operators joined forces also named their criminal association Maze Cartel.