loader image

A Look at Maze Ransomware: Pitney Bowes Hit with Second Attack

According to their security report updated this week, e-commerce giant Pitney Bowes thwarted a Maze ransomware attack earlier this month. This is the second such attack launched against the Stamford-based parcel and commerce company in the last 7 months.

While the Maze ransomware attack was unsuccessful in encrypting the company’s data for use in leveraging a ransom (which is where this type of attack gets its name), Pitney Bowes security officials admit that “the attackers did manage to gain access to a limited set of corporate file shares… [which] contained information used by our business teams … to conduct business-related activities.” The full scope of the breach is still under investigation.

However, this is not where the threat ends. While Pitney Bowes security experts were able to learn from a prior ransomware attack in October 2019, and prevent malicious encryption of company data, the group likely responsible for this attack specializes in a strategy that experts call “double extortion.” The Maze ransomware used in this attack made its debut double extortion attack against facility service and security staffing company Allied Universal in late 2019. When company officials refused to pay the ransom, the attacker released some of the data they stole as punishment. Security professionals at Pitney Bowes are continuing to investigate what data was stolen and what significance it has to company security and customer privacy.

How Do Double Extortion Attacks Work?

Double extortion ransomware such as Maze puts victims in a uniquely uncomfortable position. There are many kinds of risk and loss associated with an attack. Destruction of data can cause interruption of business, interference in personal life, or even legal consequences. If you own a business, imagine how your life would be affected if data needed for your next tax filing was erased. Threat of exposure makes victims particularly vulnerable. Having your data leaked online could result in loss of business, personal embarrassment, or violations of privacy. Consider how your work would be impacted if your confidential documents were made public.

Double exposure ransomware uses both methods to force victims into paying ransom. When the malware is installed onto a victim’s computer, the program searches for data and renders it unretrievable with sophisticated encryption methods. Then, a message is sent to the victim notifying them of the sabotage. Attackers instruct their victims to make payments through electronic funds transfers or Bitcoin transactions.

The attacker will promise that if you pay up, they will unencrypt the affected data. If you don’t, they’ll permanently delete your data, post the original data online, or a combination of both. But experts say you shouldn’t give in to an attacker’s demands. According to the FBI’s 2019 Internet Crime Report, multiple criminal cases detail victims who paid ransom on time, but never got their data restored by their attacker. There is no guarantee that stolen data won’t be later published online either. While data on tracked cases of cyber crime shows that the elderly are most vulnerable to malware threats, anyone who owns a business or uses the Internet can become a victim.

Your best safeguard against attacks by ransomware is to test your security infrastructure for vulnerabilities and educate your staff to recognize threats. rThreat’s platform enables companies to test their security solutions in a controlled environment to identify any gaps that may exist. We provide on-demand known and unknown threat artifacts that mimic real attacks that malicious actors use. By proactively testing your security measures and ensuring all of your solutions are working as they should, you can stay one step ahead of attackers and avoid becoming a victim of ransomware and other threats.

Spotting Ransomware Red Flags

Since the strategies that attackers use to compromise their victims are always changing, it is important to learn general principles that promote good Internet hygiene.

  • Put a skeptical eye on incoming communication from sources you do not recognize. Keep in mind that attackers may try to impersonate an authority figure, such as an IRS auditor, or someone you know personally, like a coworker or relative.
  • Attackers use tempting bait to trick victims into taking specific actions that compromise their security. Do not take the bait! Free money is almost always an empty promise.
  • Abundant spelling and grammar errors are sometimes on purpose. Some malware authors intentionally craft messages to appear obviously phony in order to weed out skeptical recipients and concentrate only on those who are less tech-savvy. What seems obvious to you may be news to someone else. When you receive spam or malicious emails, take a screenshot to preserve a record of the attempt to attack you. It can be used to inform your peers about what recent attacks look like. If you received the message through your work email, immediately notify your IT director.
  • If you are not sure if an email, phone call, or text message is legitimate, you should verify its origin before responding or opening any links or attachments. Independently contact the claimed agent through another means without the agent’s knowledge and ask for verification. For example, if someone claiming to be from Mastercard sends you an email asking for information from you, do not respond. Call the customer service phone number on your credit card and ask them to help you verify the authenticity of the email.

What to Do if You Have Been Compromised

If you suspect you have been compromised by ransomware, the first thing you need to do is disconnect all infected computers from your network and disconnect any external drives. Once you have isolated the threat, you need to identify what type of ransomware compromised your system. Most ransomware threats will identify themselves in their extortion dialog. However, if you’re having trouble identifying which type you’re dealing with, sites like the No More Ransomware! Project can help identify ransomware. Figuring out which ransomware strain infected your system can provide clarity on what your options are for resolving the problem. The final thing you need to do is report the incident to authorities. Why is this important? Reporting ransomware attacks allows law enforcement to conduct investigations and ultimately identify who was responsible for the attack. Reporting ransomware attacks can also help security researchers analyze and track these types of threats. You can submit an Internet Crime Complaint to the FBI, or you can inquire with your local authorities on how to submit a ransomware report.

Ultimately, how do we successfully combat ransomware attacks? The answer is simple: avoid falling victim to them in the first place. By validating your security solutions and addressing any vulnerabilities before you fall victim to an attack, you can confidently know that your data and valuable assets are protected from attackers. Taking a proactive approach, not a reactive approach, is an essential step towards safeguarding your system. If you would like to learn more about how rThreat can help protect you from ransomware and other threats, contact us today to request a demo.

Do you want to learn more about cybersecurity? Please subscribe to our newsletter.