Vigilante warns that over the last few weeks threat actor group Maze Team is claiming to have attacked at least two insurance companies with ransomware and may be eyeing additional insurance industry victims.  Vigilante notes that the Maze brand of ransomware has no known decryptor, making the tool that much more lethal. Thus far, the attacks are being confirmed and touted only by Maze, with independent verification almost impossible because of the sensitive nature of the attacks and the dangers of disclosure by victims. Vigilante, however, provides Maze Team’s usual modus operandi below to shed light on this group and its methods:

  • Once the group has the victim’s data in its possession, it demands two separate ransoms; the first ransom amount is for providing a decryption key and the second is to delete all the data they copied and exfiltrated before locking up the victims’ files.
  • If an entity refuses to pay either or both ransoms within a few days of the attack, Maze Team names the victim company on a website they created (more details below) and then dump some of the data as a warning that more will be made public if the victim does not pay.

Maze Team pioneered the public shaming of ransomware victims in 2019, since which time other ransomware groups have adopted the model of creating websites where they name reluctant victims and start making the victim data freely available.

  • In some cases, it may be corporate data such as financials and bank accounts. In other cases, it may Human Resource files or sensitive information on personnel. In all cases, these data dumps tend to be advertised on a variety of Dark Web forums, and the data is often downloaded by numerous entities.
  • At least two of Maze Team’s victims have already been sued over their data breaches, which highlights another pain point victims deal with in the aftermath of these attacks.

Vigilante remains watchful and is engaged within underground communities via our human operative network and technical platforms to monitor for any indication of further action against the insurance industry, particularly during these tough times.

  • As a reminder, Maze Team uses a variety of attack methods. Clients should ensure that they have working backups of critical data and systems that are not connected to the network. Vigilante notes that even when the ransom is paid and threat actors promise to delete all copies of stolen data, they often retain access to the data for future misuse.