100 comments

[ 3.3 ms ] story [ 158 ms ] thread
Anyone have a link to Maze's website?
Obviously even if someone did have that link they should not post it here. Giving wider visibility to this makes the problem worse, though I'm all for releasing the names of those companies.
> Giving wider visibility to this makes the problem worse, though I'm all for releasing the names of those companies.

Aren't these mutually exclusive positions?

No, because the data affects the data subjects but the names of the companies just affect the companies and gives their customers a fighting chance at limiting the damage.
It's indexed on Google and you can find it by searching for phrases from the posted screenshots. Be careful opening the files on there.
They're not just outing them, they're dumping their data. That changes the risk dynamic significantly. Before, if you didn't pay, you didn't get your data back. Now, you don't pay, they expose all your data to the world. For some companies, that will be a significantly more compelling reason to pay the ransom.
If you don't pay and they expose your data to the world, doesn't that mean you can effectively get it back without paying?
What makes you think the data is complete and/or hasn't been poisoned?
What if the data is highly proprietary and now all your competitors have access?
There are legal avenues you can use for that. the bigger danger (for most cases at least) is raised by your sibling, you can't trust the data anymore to be the same either innocently or maliciously.
On the plus side, you get your data back.

Kidding aside, these are serious breaches and it would be good to at least have the names of the companies out there. By law they were required to report anyway and the local authorities in turn would publish / fine.

So downloading this data would be strictly off-limits but the names of the companies should be public so that people at least have a chance to know that they have been affected.

One way of leaving it to the people to make the wealth trickle down!
Looks like they're doing our job.

First, the message was "backup your data". Now, they also added "encrypt your data"!

Does encryption really help? If they've compromised your system well enough to lock you out of it, aren't they likely to have nabbed your passwords in the process? Even if you were incredibly careful, there's not much you can do about a keylogger. If you could prevent a keylogger, you could lock them out entirely.
Maybe? AFAIK having more walls will result in less intrusions... Like, I imagine that you can delete/encrypt all the files simply by having a local username / network filesystem accesss. Doesn't necessarily mean you also managed to hack usernames/passwords/databases/source code... Each wall is another barrier to pass/hack!
You can have 25 walls if you want but all it takes is Sally in accounts who thinks it's a good idea to open this one email attachment...If went rogue I'd probably be able to hack my company left and right and I'm not even remotely someone with those skills.
Relying on every employee to not do something "stupid" (i.e. stupid to us but how would a non-programmer know without extensive training) is a fundamentally flawed approach... Companies need to think about this, need to adapt processes to account for failure at as many levels as possible. "bus factor" and so on.
If you're letting arbitrary attachments in and allowing arbitrary executables to run then Sally is the victim of gross incompetence.

Everyone has jobs to do and they can't do them effectively if you need them to think through information security for every interaction. You have to build the rails and create a safe work area. User education is truly the last layer because if everything fails maybe the user will remember something we said.

Rogue employees require a lot more traditional security and trust. Someone could always just physically destroy company property, and Sally could always approve fraudulent transactions, so you have to start there and it'll get you pretty far.

It does but it isn't a panacea, if you leave the keys accessible or the wrong subsystems vulnerable it won't save you but a properly isolated encrypted repository greatly mitigates the damage possibilities to 'rendered inaccessible' or 'exposed but it will take decades before they can even think about decrypting it with a multi-billion dollar budget'.
> there's not much you can do about a keylogger

How come keystrokes aren't encrypted yet? I don't really have the foggiest idea how my computer interprets the data that comes from me turning on and off a bunch of switches in rapid succession but it's odd to me that we all kind of accept that we're screwed if a bad actor starts logging our keystrokes.

Wouldn't that be impossible? One time pad and E2E wouldn't work because the pad and both ends would be on the same compromised machine. In the end you need info to get from the user to the infected machine and at some it will be unencrypted.

It's the equivalent of having a camera above the keyboard. Really not much you can do there.

I guess encrypt isn’t really the right word but I was imagining something similar to how you can program autocorrect and autocomplete on the iPhone. So when I log go to gmail.com and go to the password box I’d type “gmailP@ssword” (and presumably any keyloggers on my machine would capture gmailP@ssword) and then the computer would correct it to the real password.

But like I said, I know nothing about the computer magic behind my keystrokes.

There's also "compartmentalize your data", so that one breach doesn't get it all.

Compartmentalization is a guiding principle for things like spy networks. It's also how you make critical equipment able to survive failures.

(comment deleted)
Shouldn't any breach like that automatically be treated as data breach? I mean, maybe the crooks wouldn't publish the data, but they certainly had access to it and could resell it to whoever is willing to pay anyway, even if you paid the ransom. There's no way to ensure that doesn't happen.
Absolutely. Unless you still have ironclad logging showing that no data was transferred.
Is this not a confession, anyone connected to the domain and the hosting asn and the ISP is going to have good opsec or not ever travel outside certain countries.
>anyone connected to the domain and the hosting asn and the ISP is going to have good opsec

Why would the hosting company/ISP be at risk? Just run it from a non-US extradition friendly country, and say that you won't take any action unless there's a court order from your local court.

Conspiracy, computer misuse laws for one and if you targeted CNI sites - much stronger laws -)
(comment deleted)
Some of us mentioned that this would happen once GDPR came out. Not disclosing breaches is now a punishable offense, and this becomes a weapon in the hands of malicious hackers.
Viewed from the 'sometimes things have to get worse before they get better' lens, it might drive better security/backups/etc in the medium term.
If anything, this escalation would seem to _discourage_ backups. Backups are another way to leak data.
Any adminstrator who thinks that is a rational policy should be fired.
Agreed, but a lawyer who thought it is a rational policy may be right. And if the IT admin is arguing against the counsel he is unlikely to win that argument.
In what way would a lawyer who thought it is a rational policy be right?
He might be general counsel, in which case he would outrank any IT admin. In many organizations, that is another way to be "right".
When ransomware is the issue, that's the wrong way to be right.
As admin you must then document the communications and escalate until you're heard. If even CEO won't listen you're either wrong or need to report to authority outside org through established means.
Ideally, backups (or at least the decryption key for the backup) would be stored in offline, air-gapped storage.
> Not disclosing breaches is now a punishable offense, and this becomes a weapon in the hands of malicious hackers.

Maybe that wasn't meant as such, but it comes across, at least to me, as an argument that making non-disclosure punishable was a bad idea. If that was the argument, then I'd point out that the same thing can be said of criminalising any offence at all.

there is no argument. there's also no law that demands you to report all crimes.

and this law does give an incentive to cover up, as long as the ransom is < fines .

Any entity that settles without making the required disclosure of the breach (see my other post) puts itself at risk of being blackmailed over that non-disclosure.
of course, but that is a risk, while the fines are definite
Definite and limited. Once you take the cover-up route, the potential cost escalates unpredictably, and there is nothing definite about the ultimate cost.
actually, the law acts as a guideline about which point you should cut your losses.
Indeed it does, which is to not go that route.
From article 4:

(12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

So it seems that a ransomware attack is considered a breach - as it should be - and neither exfiltration nor disclosure is necessary for that to be the case.

Any sort of access is a weapon in the hands of a malicious hacker. Penalties for allowing it to happen are weapons in the hands of those trying to do something about it.

security is notoriously asymmetric and a continuous arms race, so it's rarely a case of "allowing it to happen". There is a case to be made for making it unprofitable for hackers to run such operations. The law here does the opposite by making it more lucrative.

i think the best thing to do is to minimize sensitive data completely, no logs no nothing. But then you move the burden of security to the end user (e.g. they 'll have to re-enter their credit card every time), which is probably higher risk.

If everyone adopted your solution, the issue that you originally posted about would no longer be an issue, so the best way to get everyone to your solution would be increase the penalties until nothing else is viable!

The reality is that you are creating a false dichotomy / straw man here. While reducing the amount of personal information that is gathered and stored should be the first response, that which remains can be handled appropriately with encryption and defense-in-depth.

Maybe this will convince businesses to encrypt user data end-to-end.

Either lose the pennies you would've made from data mining or lose real millions from getting ransomed. Your choice.

Usually you can't. Services depend on user data, so the company needs the key.

It works only for storage service basically (or messaging, where the two have the keys).

For many businesses that's not really possible. For your standard e-commerce website the majority of the data you have is what people are ordering. How do you end-to-end encrypt that? What about internal documents and memos? User names and email addresses (not as valuable as passwords but still useful if you join it against other data sets)?
Yes, it's very hard. They would have to completely re-architecture their systems.

For e-commerce, the client can sign his or her address with the shipper's public key, so that only the shipper and the recipient are guaranteed to know the address. To the user, this could happen transparently without any change in UX, where the e-commerce website acts like a keyserver.

For email addresses, phone numbers, names, etc. it is more difficult. You can't just store a hash of the email address if you want to ever be able to email your customers.

Internal documents can be more trivially end-to-end encrypted. Imagine the whole company shares a WhatsApp group chat. Nobody has to ever hold a plaintext copy of an internal document. Only permit access on company devices which hold the keys in hardware.

I assume most of these occur through phishing and very few occur by someone sniffing unencrypted data in transit.
No I'm talking about the rows in their database being ciphertext with the client having the private key
Yes, but public leaks of customer data are a GDPR violation that you get fined for. If the data is end-to-end encrypted, this mitigates the risk substantially.
I would bet most of this users clicking things they should not. recently my company put out a phishing email and people clicked on it and then started a thread on the internal forums about how mad they were the company would do this (they had to take extra training if the fell for it). Another co worker was telling me about his old position where he put the thumb drives in parking lots and people would pick them up and plug them into their work computer, and the would get mad that their security team did this exercise and caught them.

Yes a lot can still be done with security on machines and traffic, etc.... But the human factor is hard to control and fix. If someone sent out a phishing email with a link that said "click here to see magical unicorns jumping over a rainbow", someone would click it, i know poeple i work with who would click it. It gets, frustrating at least for me, since i have a lot to do with security where i am at.

This comment is non-responsive to the parent
What's frustrating is that we're still dealing with systems where these kinds of simple and obvious actions are not safe.

What reasonable person thinks that clicking on a link is a potentially dangerous act? That's how everything is done these days, and we're not supposed to trust that it is a safe operation?

We're not supposed to plug in a USB drive to see what's on it? That's pretty much all they're for!

People expect to plug in USB and all to magically work. In this case hardware/firmware get full access and can fry your port.

0-day bugs and lacking updates make promiscuous internet use hazardous, yet people expect browser to do everything a PC can.

Encryption will do nothing to stop this. If a user clicks a link and gets the malware, the malware will be doing it's damage inside of the encryption envelope or encrypting already encrypted data which has the same effect.
If you had good backups, you didn't had to pay until now.

But to make the data public, they have to download all the data first. This might be detected.

I know from several companys who did set up the complete network again.

The most prominent company I know at moment is Pilz (pilz.com). There website was almost down for a month. Now after 2 months it possible to download datasheets and manuals again.

To be fair, if you are taken over by ransomware, it's probably the best decision to start from scratch and redesign your network so that this sort of thing is mitigated in the future.
Who said these things come from "your" network?
Because if it's an insider threat then you should have protections in place to identify bad actors so that they know they will be caught if they even try. If you don't then what are you even doing?
One thing to do to slow down such downloading is to add a great deal of bulk "junk" data, and have a rate limited network connection.
I can see this being a catastrophic outcome for hospitals. If the health and privacy of your patients is at stake, wouldn’t you pay up?
Let's hope this idea catches on with patent trolls too. It's about time they outed all the businesses that don't agree immediately to settle.
Some of those comments below the article are just scary.

People demanding death sentences and that Iran/China/Russia/North Korea be nuked, over private business data leaks?

It's like the problem of attribution never has existed, nowadays the "smoking cyber guns" are apparently everywhere.

Krebs has a better measured reply to the "Nuke 'em all!" comments.

https://krebsonsecurity.com/2019/12/ransomware-gangs-now-out...

What needs to become the norm for the US Govt response to these gangsters is for them to get in the habit of doing what they did in the Evil Corp case: Once the offenders are positively identified, get the Treasury to issue financial sanctions on them that prevent the crooks from transacting with people and businesses outside their home country.

https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-...

This is perhaps the most effective tool in law enforcement’s hands to combat cybercrime — short of apprehending the bad guys. None of these dudes want to be stuck in Russia, and they sure as hell don’t want all their money kept their either. Rather, they tend to launder it by investing in properties and other businesses outside their own country. Making it a crime for others to accept their money is an extremely effective way of frustrating these criminals.

On the other hand, many nations are making a concerted effort to undermine America's position as the global financial hegemon (e.g. Europe's INSTEX). What would America's recourse be were she to lose her control over global financial markets?
As long as oil is traded in USD that won't happen.
That makes as much sense as thinking it matters whether the volume of a barrel of oil is measured in US or metric measurements.

You can, like, exchange one currency for another. How do you think people buy oil with every currency other than the dollar?

There is a ton of dirty money seeking a laundering opportunity floating around, plenty of start-ups are at risk of ending up with an investor that may have an entirely different idea about what constitutes a good investment than your regular Angel/VC/PE entity. Always beware when the money comes looking for you.
> KrebsOnSecurity was able to verify that at least one of the companies listed on the site indeed recently suffered from a Maze ransomware infestation that has not yet been reported in the news media. I'd bet 90% of companies never publicly acknowledge they paid.

Another checkmark in the category of not making paying ransoms illegal. This whole new data-dump threat vector just doubles down the threat to keep it quiet and pay it out.

Law enforcement will rarely catch enough of these companies who do pay to make it meaningful. Most of these are small time private businesses who are more than capable of keeping it quiet, without information release obligations to investors.

We need public education campaigns for backing up company data offsite and encouraging more companies investing in security firms to up the bar for these attacks. It's the only way they'll slow down.

The next big step - pyramid schemes, where you can drop your own price to pay, if you convince others to pay up or infect them.
I thought the big advantage of ransomware (for "the gangs") was that it didnt actually require them to be able to extract the data. To impact a company you only needed to be able to get your malware on their device; extracting the data was not necessarily for you to acquire a ransom.

If my company is beset by ransomware, and they claim they will release it I can either assume:

1. They have extracted the data and therefor have to assume they arent just going to delete it because I sent them a check.

2. They are bluffing and have only encrypted my data.

I dont think I can count on #2.

Just imagine how much Facebook would pay up if a hacker had exfiltrated the database of all private Facebook messages, and was threatening to release them.
Facebook is so big and so much money is involved there that I think a hacker wouldn't be able to get much out of Facebook. When you steal billions from people then rules sometimes get bent when dealing with you.
What incentive would the hackers have for actually deleting their copy after receiving payment?
> Less than 48 hours ago, the cybercriminals behind the Maze Ransomware

I'd rather just call them "criminals".

The "cyber" prefix is generally unnecessary, and sometimes even misleading.

Yeah but reporting on "cybercrime" sounds a lot more glamorous than reporting on "crime."
Add to your favorite text substitution add-on the mapping "cyber" -> "spider" and you'll be less annoyed at its pervasive use.
So, what'd you think of Elon's spidertruck?
Spidernetics

Spiderterrorism

Spider-espionage

Spiderspace

Spidercrime

Yep, terrifying.

I recall a browser extension that replaced all instances of "cloud" with "butt" (or something like that)...

Maybe it's time for an update? :)

"ship-helmsmen-turned-criminals"
this could be a two fold disaster. correct me if I'm wrong, but isn't NOT reporting a breach a pretty heavy fine in some countries today? Worst, if they are dumping the data, people in the EU could be hit by GDPR fines as well if the exposed data shows they weren't keeping up with guidelines.
Absolutely, and this is problematic because now we end up with a set of incentives that works against the public interest. This will make it more likely for the companies affected to pay up. The one bit of light here is that it will show up in their accounting and auditors tend to have reporting obligations if they come across evidence of a crime.
Yes, if you read far enough the hackers point this out. They're asking for less money than the EU fine for non-disclosure.
If you've been infiltrated and your systems have been compromised, it has always been the case that your data may also have leaked. A responsible organization in this situation would take that possibility seriously, including the potential disclosures and legal ramifications that may come along with it.

Attempting to sweep such an incident under the rug should never have been a serious option, but of course organizations in this situation are usually looking to do as little as possible. So here we are. This is just taking that latent possibility and making it real and explicit.

Thanks to the bitcoin without it Ransomware gangs can't do that
If I understand correctly you are already required to report the data loss according to GDPR and you'll be fined accordingly, whether the data is then leaked or not.

Isn't the clear course of action then to report, pay the fine and tell the criminals to get lost?