Black hat hacker group Maze has infected the infrastructure of a firm researching the coronavirus with ransomware, managing to steal and publish sensitive data.

The hack of medical information

Cybersecurity firm Emsisoft told Cointelegraph on March 23 that Maze group’s hackers compromised United Kingdom medical firm Hammersmith Medicines Research. The published data includes sensitive data on medical test volunteers such as id documents like passports, medical background and details of the tests. Emsisoft threat analyst Brett Callow said:

“[The data] is on the clear web where it can be accessed by anybody with an internet connection. [...] The criminals almost certainly haven’t published all the data that was stolen. Their modus operandi is to first name the companies they’ve hit on their website and, if that doesn’t convince them to pay, to publish a small of the amount of their data — which is the stage this incident appears to be at — as so-called ‘proofs.’”

Fortunately, ComputerWeekly reports that the Hammersmith Medicines Research was able to make the systems operational by the end of the day. Callow noted that “it would appear they were able to quickly restore their systems from backups.” He also said that the data previously published on the hacker’s website is no longer available:

“Note that, since the ComputerWeekly report ran, the data stolen from HMR has been ‘temporarily removed’ from the criminals’ website. [...] But here’s the problem. Other criminals download the data posted on these leak sites and use it for their own purposes.”

Callow told Cointelegraph that he does not know how high the ransom demanded was. Still, he pointed out that the group has previously asked for about $1 million in Bitcoin for restoring access to the data and another $1 million in BTC to delete their copy and stop publishing it.

As Cointelegraph reported in early February, Maze also compromised five United States law firms and demanded two 100 Bitcoin ransoms in exchange for restoring data and deleting their copy. Callow said that ransomware groups nearly always request to be paid in Bitcoin:

“99% of ransom demands are in Bitcoin and, to date, it has been the Maze group’s currency of choice.”

Criminals are not Robin Hood

In previous incidents, Maze also published stolen data on Russian cybercrime forums recommending to “Use this information in any nefarious ways that you want.” Callow also criticized “a not inconsiderable number of publications” that recently reported about how some ransomware groups — including Maze — stopped their attacks for the time of the pandemic. He said:

“A not inconsiderable number of publications recently reported that some ransomware groups, including Maze, had declared an amnesty on attacks on medical organizations for the duration of the Covid-10 outbreak and I’ve since seen them described as ‘Robin Hood-esque.’ This clearly demonstrates that, to the surprise of absolutely nobody, criminals cannot be trusted and it is a mistake for them to be given a voice.”

Callow said that the threat level is the same that it has always been, or possibly higher. He also insisted that “these groups should not be given a platform which enables them to downplay that fact.” This is in line with the recent Emsisoft report according to which ransomware attacks have a seasonal aspect and the number of attacks spikes during the spring and summer months.