Vigilante wishes to highlight two more ransomware groups that have adopted the Maze Team model of extorting their victims to pay: NetWalker and Ako. Under the Maze model, once the group has the victim’s data in its possession, it demands two separate ransoms; the first ransom amount is for providing a decryption key and the second is to delete all the data they copied and exfiltrated before locking up the victims’ files.

  • Since the beginning of May, NetWalker ransomware operators have attacked and publicly named five victim companies. The group has provided data samples for two of the victims, with warnings that the other three victims will experience the same consequence if they do not pay. Unlike Maze Team, though, NetWalker operators appear to be giving their victims more time to pay before the threat actors publicize the attack.
  • Ako ransomware operators have attacked and publicly named at least seven entities this month alone (May 2020): two in the medical sector, four in the business sector, and one k-12 public school district. As of this writing, the group has not dumped any data from the school district but warns that it will if the district does not pay. They have, however, dumped their other victims’ data.
  • Although ransom demands are generally not made public, Ako operators publicly noted that one of their victims had paid them the USD $350,000 fee for the decryption key but had not paid them the second fee to delete their copies of all exfiltrated data. In response, Ako dumped the corporate victim’s stolen files, including some of its client screening and due diligence files.

Vigilante analysts note that these different ransomware teams do not all use the same methods to gain footholds in victims’ networks. Ako, for example, favored spam emails with attached files that purportedly contained a zipped password-protected archive named “Agreement #…” that the recipient was instructed to open to view. The archive contained a file like “agreement.scr” that would deliver the ransomware when executed.

  • NetWalker recently targeted hospitals and healthcare entities and sent emails with subject lines claiming to provide information on COVID-19. Once opened, the emails delivered NetWalker ransomware directly.

Vigilante also wishes to highlight that Maze Team continues its campaign to extract ransoms and shaming victim companies publicly. For example, Maze Team recently threatened to dump 11 million full credit card numbers that they claim they exfiltrated from a bank. They then issued the below press release to further drive their threat home and increase pressure on the victim.

Maze 5-15 Article

Maze Team’s recent press release.

  • As a reminder, if an entity refuses to pay either or both ransoms within a few days of a Maze Team attack, the group names the victim company on a website they created and then dumps some of the data as a warning that more will be made public if the victim does not pay.
  • In some cases, it may be corporate data such as financials and bank accounts. In other cases, it may be Human Resource files or sensitive information on personnel. These data dumps tend to be advertised on a variety of Dark Web forums and the data are often downloaded by numerous entities, increasing the cost and pain to the victim entity and its customers.

Vigilante cautions that since these ransomware groups use a variety of attack methods, individuals and businesses should ensure that they have working backups of critical data and systems that are not connected to the network, and that they continue to reinforce training employees about not opening attachments or clicking on links from untrusted entities.

  • Similarly, with more employees working from home, entities will need to address security of home devices, the need to educate employees about avoiding persistent logins (especially if a family member also uses the device to access platforms for distance learning for students), and to remember to disable Remote Desktop Protocol as soon as it is not needed.