The operators of the Maze ransomware kept their promise: without receiving a ransom from LG Electronics and Xerox, the attackers published the data stolen from the companies on their website. Thus, the hackers revealed 50.2 GB of data that they allegedly stole from the LG internal network, as well as 25.8 GB of data allegedly belonging to Xerox.
If some of our readers have not followed the news for a long time, let me remind you that since the end of 2019, the developers of the ransomware malware began to "work" according to a new scheme that allows them to receive more money from victims. Basically, they are demanding two ransoms from the affected companies: one for decrypting data, and the other for removing information that is stolen during the attack. In case of non-payment, the attackers threaten to publish this data in the public domain.
It all started with the operators of the Maze ransomware, who began to publish files they stole from the attacked companies, if the victims opened to pay. The hackers set up a special website for such "leaks", and soon other groups followed their example, including Sodinokibi, DopplePaymer, Clop, Sekhmet, Nephilim, Mespinoza, Ako, Netwalker and so on.
Information security experts believe that LG Electronics and Xerox were likely compromised due to the CVE-2019-19781 vulnerability, which affects several versions of Citrix Application Delivery Controller (ADC), Citrix Gateway, as well as two older versions of Citrix SD-WAN WANOP. This problem was discovered at the end of 2019, and even then analysts warned that more than 80,000 vulnerable servers could be found in the public domain, that is, the problem threatened tens of thousands of companies from 158 countries.
Edition ZDNet writes that judging by the screenshots published by the Maze group at the end of June, as well as by sample files from the dump, the information stolen from LG will include the source codes of firmware for various company products, including phones and laptops.
Maze's operators told reporters that they hadn't tried to launch an encryptor on the company's network at all. The hackers simply stole LG's proprietary data and went straight to the second stage of extortion.
“We decided not to perform (encryption) because they have socially significant clients, and we didn't want to create problems in their work, so we just stole the data,” the hackers say.
LG representatives declined to comment on what was going on.
How the attack on Xerox evolved is virtually unknown at this point. For example, it is unclear which internal systems of the company were affected by the Maze ransomware, and whether encryption was used at all, or the group chose only to steal files from the company, as happened in the case of LG.
A cursory analysis of the released data showed that hackers had stolen information related to customer support operations. In particular, ZDNet reporters were able to find data concerning Xerox employees, but have not yet found any data about the company's customers. However, the publication notes that due to the large volume of the dump, it will take a lot of time to study it in detail.