The anonymous operators behind the Maze Ransomware are being sued by a victim for illegally accessing their network, stealing data, encrypting computers, and publishing the stolen data after a ransom was not paid.

The company suing Maze is Southwire, a leading wire and cable manufacturer from Carrollton, Georgia, who was attacked in December 2019. As part of this attack, the ransomware allegedly stole 120GB of data and encrypted 878 devices.

After a ransom of 850 bitcoins, or $6 million. was not paid by Southwire, the Maze operators published a portion of their stolen data on a "news" site that the threat actors created.

Southwire Data Published by Maze

This site is hosted at an ISP in Ireland that Southwire states that they contacted repeatedly but did not receive a response.

Southwire sues Maze operatings

On December 31st, 2019, Southwire filed a lawsuit in the Northern District of Georgia, USA against the Maze operators and sought injunctions against a hosting provider in Ireland for hosting the Maze news site and stolen files.

In a civil action against "John Doe", Southwire is requesting injunctive relief and damages against the Maze operators for the encryption of their network and the publishing of stolen data retrieved during the ransomware attack.

"This is a civil action for injunctive relief and damages against Defendant arising under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and the common law of trespass to chattels. As further alleged below, Defendant wrongfully accessed Southwire’s computer systems and extracted Southwire’s confidential business information and other sensitive information from the computer systems. Defendant then demanded several million dollars to keep the information private, but after Southwire refused Defendant’s extortion, Defendant wrongfully posted part of Southwire’s confidential information on a publicly-accessible website that Defendant controls."

While it may appear strange to file a lawsuit against the Maze operators, several lawyers that BleepingComputer spoke to stated it may be to reserve their spot for monetary damages in the event that money is recovered by the government. This action could also be used to provide injunctive relief against any U.S. based hosting provider or organization that publishes the data stolen by Maze.

"Title 18, United States Code, Section 1030(g) provides that “any person who suffers damage or loss by reason of a violation of this security may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” Under 18 U.S.C. § 1030(g), (a)(2)(C), and (c)(4)(A)(i)(I), a civil action may be brought if the conduct involves a loss during any one-year period aggregating at least $5,000 in value. Defendant violated the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C), by knowingly and intentionally accessing Southwire’s protected computers without authorization or in excess of any authorization and thereby obtaining information from the protected computers in a transaction involving an interstate or foreign communication."

As part of the lawsuit, two exhibits were includes; one of the ransom note and a redacted image, which was most likely the stolen data or maze news site.

Exhibit 1 (Click to enlarge)

Southwire seeks injunctive relief in Ireland

In a related action, counsel for Southwire requested injunctive relief from the courts of Ireland against the company hosting the Maze news site and the stolen files.

According to the TheJournal.ie, Southwire made repeated demands to the web hosting company named World Hosting Farm Limited, who is hosting the Maze news site, to remove their stolen data, but never received a response.

Due to this, the company sought injuctive relief against the involved parties.

"The injunction requires the defendants to remove all data relating to Southwire and its customers from the website," TheJournal.ie reported. "The order also compels the defendants to hand up all data taken from Southwire, and that no further material is taken from the US firm be published on the internet or anywhere else."

The temporary injunction was granted in part, but the court did not prohibit the media from mentioning the victim's name as part of their reporting.

Since then, BleepingComputer can confirm that the Maze news site has been taken down by the hosting company and is no longer accessible.

It is not known if the Maze team will attempt to host their news site with another hosting provider or move it to Tor where it will be much harder to take down.

This could also be a dangerous move by Southwire as it could lead to the Maze operators releasing all of the stolen data rather than just a few files.

"This is a bold but risky move by Southwire. It could push the Maze Group into releasing all of the company’s data while the website takedown could result in a game of whack-a-mole in which the data is published in other, possibly more visible, locations,” Emsisoft threat analyst Brett Callow told BleepingComputer via an email conversation.

With the Maze operators being very public regarding their operations and willingness to publish stolen data, this could be a move that could lead to more data being exposed.

BleepingComputer has contacted the lawyers for Southwire with questions regarding their lawsuit, but have not heard back at this time.

Update 1/3/2020:

On the same day as the courts in Ireland issued an injunction, the Maze news site was taken down.

In response to our queries, we received the following statement from Artur Grabowski, the CEO of World Hosting Farm LTD, about their shutting down of the Maze "news" site that was hosted at his company.