The Maze Ransomware operators have released an additional 14GB of files that they claim were stolen from one of their victims for not paying a ransomware demand.

In December the Maze Ransomware operators attacked Southwire, a wire and cable manufacturer out of Georgia, and allegedly stole 120GB worth of files before encrypting 878 devices on the network.

Maze then demanded $6 million in bitcoins or they would publicly release Southwire's stolen files.

When Southwire did not make a payment, the Maze operators uploaded some of the company's files to a "News" site that they had created to shame non-paying victims.

This led to Southwire filing a lawsuit against Maze in Georgia courts and asking for an injunction in the courts of Ireland against a web hosting provider who was hosting the Maze news site. This injunction led to the site being taken down and Southwire's stolen data being accessible.

"Not in retaliation"

Yesterday, the Maze operators released an additional 14.1GB of stolen files that they claim belong to Southwire on a Russian hacking forum. They further state that they will continue to release 10% of the data every week unless the ransom is paid.

"But now our website is back but not only that. Because of southwire actions, we will now start sharing their private information with you, this only 10% of their information and we will publish the next 10% of the information each week until they agree to negotiate. Use this information in any nefarious ways that you want", the Maze operators stated in their post.

When we asked the Maze operators if they released this additional data out of retaliation for the lawsuit, BleepingComputer was told:

" Before lawsuit it was just few files as a proof. Now it is 10% of 120GB, but not in retaliation. It was planned if they don't negotiate. We will post new parts every week if they don't change their mind.

So the next week another 10%, after 2 weeks another 10% and so on while 100% (120GB) is not published. They can stop this process by negotiating with us and revert it to full data destruction after payment.

In retaliation we have something more interesting ;)

But retaliation doesn't come if they begin negotiate with us."

When we asked what they meant by "something more interesting", they would not elaborate any further.

Ultimately, all companies should never pay a ransom as it only encourages this type of criminal behavior to continue. It is also easy to say that when you are not in Southwire's predicament.

Southwire now needs to weigh the cost of their data being exposed versus the cost of paying the ransom.

If their data contains third-party information, including personal information about employees or customers, then this attack would need to be classified also as a data breach.

This would then require additional costs for government notifications, customer and employee notifications, and potentially fines depending on any privacy laws that may have been violated.

As the data is being released in small batches, each one would constitute a separate data breach but could also potentially be reported under one breach notification.

BleepingComputer has contacted Southwire regarding the release of additional files, but have not heard back at this time.