The LockBit ransomware gang launched a new data leaks website after sharing a portal with Maze ransomware attackers for a few months.

Two Victims Disclosed Thus Far

According to Bleeping Computer on September 16, 2020, digital security intelligence firm Kela observed those responsible for LockBit had posted an announcement in a Russian-speaking forum about their new data leaks site. Bleeping Computer analyzed the new website and found that it contained the data of two victims at the time of Kela’s discovery. One victim was an automation parts manufacturer, while the other was a shipping company.

LockBit’s handlers launched a data leaks website earlier in 2020. But they shuttered that portal around the time they joined Maze’s “extortion cartel” of ransomware gangs and began sharing its data leaks infrastructure.

The Maze ransomware gang was the first crypto-malware group to steal victims’ plaintext information before activating their payload’s encryption routine. They first engaged in this behavior in November 2019 after infecting the network of a security staffing firm, per Bleeping Computer’s coverage.

Many other ransomware gangs have since responded by incorporating this technique into their respective malware’s attack chain, thereby making it a ransomware trend to watch for in 2020.

It’s unclear from this latest announcement whether LockBit will continue to use the Maze ransomware website.

The Give-and-Take Dynamic of the Maze Ransomware Cartel

LockBit’s operators no doubt applied their experience of sharing Maze’s portal to the task of creating their own data leaks website. But the Maze ransomware extortion cartel isn’t a one-way street. On the contrary, Maze’s attackers also learn from the crypto-malware gangs that partner with them.

One such instance caught the attention of Sophos a day after news of LockBit’s new data leaks site broke.

While investigating an incident in July of 2020, Sophos detected an attack in which malicious actors had attempted to repeatedly deploy Maze ransomware.

The attack was different than previous Maze ransomware incidents in that threat actors delivered their file-encrypting payload inside a Windows .msi installer file on a virtual machine’s (VM’s) virtual hard drive.

Those responsible for the attack attempt demanded $15 million from the targeted organization. Per Sophos’ reporting, the victim didn’t pay the ransom.

This incident wasn’t the first time Maze ransomware actors deployed their payload inside of a VM. Back in May 2020, for instance, an incident was detected involving Ragnar Locker, another member of Maze’s cartel.

That attack differed from the incident involving Maze ransomware. While the former involved a Windows XP VM, the latter made use of a VM running Windows 7. The virtual disk used in the Ragnar Locker attack was also a quarter of the size of the resource used in the Maze infection.

How to Defend Against Attacks Like Maze Ransomware

The developments described above highlight the need for organizations to protect themselves against a ransomware attack. To do this, they should look to prevent an attack like the one from Maze ransomware from occurring on their networks in the first place. Begin by using threat intelligence to craft a dynamic security awareness training program, educating employees about phishing campaigns and other common types of ransomware delivery vectors.

Organizations should complement this training with efforts to root out vulnerabilities in their security postures. They can do that by regularly submitting themselves to penetration tests, which can help organizations identify weak points in their networks. From there, they can prioritize their patching efforts and other remediation activities.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…