Tue, May 5, 2020
With the recent attack on a Fortune 500 IT service provider, Maze ransomware is back in the news. Kroll incident response (IR) practitioners worked on multiple Maze ransomware cases during the first quarter of 2020 and have new insights on the tactics, techniques and procedures (TTPs) of these actors and why organizations should revisit their IR plans.
In our work with one client, Kroll had access to a discussion with Maze actors that revealed some of their inner workings. Coupled with the new FAQ document that Maze recently posted on their “shaming” site, it becomes apparent these threat actors are leaving nothing to chance when pressuring victims to pay up quickly. Organizations should heed some of the claims and threatened reprisals for nonpayment as they provide direction for updates to existing incident response plans in the event of such attacks. Consider a few of their claims and threats:
As these examples of recent Kroll case work show, no industry sector is safe and actors hunt for data that can inflict the most reputational and regulatory damage.
According to Coveware, a ransomware recovery first responder, Maze initial ransomware demands are close to USD 2.3 million, second only to those demanded for Ryuk ransomware. The average final ransom amount is closer to USD 1 mn after negotiation, indicating a roughly 55% discount through negotiation.
Kroll has shared numerous best practices on how to avoid becoming a victim of ransomware. Likewise, we have described what to do first if an attack does succeed.
A new concern for organizations, however, is that the Maze ransomware operators have intensely compressed the decision making process. Organizations in the past could somewhat control how and when to disclose the details of a suspected data breach. In many cases, organizations need time to ascertain the true extent of a reportable data breach and implement support mechanisms to meet the needs of affected consumers.
Now, with ransomware actors reaching out directly to an organization’s customers, the media and regulatory agencies, victim organizations must be prepared to act decisively and immediately.
As Kroll’s casework has proved, every organization can be a target for ransomware cybercriminals. Kroll has developed a Ransomware Preparedness Assessment that can help your organization better understand your unique vulnerabilities and how to avoid or mitigate ransomware harms. Call us today to learn more.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.
Services include drafting communications, full-service mailing, alternate notifications.
Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.