‘Maze’ group behind Pensacola ransomware published city files online
The hacker group claiming credit for a ransomware attack earlier this month against Pensacola, Florida, on Monday posted files belonging to the city government to a website where the hackers say they are publishing data stolen from victims who refuse to meet their demands. The move, which the same hackers have also used against several private-sector victims, is meant to pressure the city into paying a $1 million ransom, a demand that Pensacola leaders have refused to meet.
Since the weekend, the group has uploaded to a publicly available website two files that it claimed it exfiltrated from Pensacola’s data stores. The first was a Microsoft Excel file appearing to be an employee’s timesheet. The second, posted Monday morning, is a two-gigabyte tranche of city files the hackers claim is just a sample of what their malware stole.
“IT’S ONLY 10% OF TOTAL INFO WE HAVE,” the group wrote in a message posted with a link to the file.
Pensacola was hit Dec. 7 in an attack that rendered the city’s phones, email servers, 311 line and online bill payment systems nonfunctional. The virus was identified after officials said it was similar to another recent attack against Allied Universal, a global facilities services firm.
The Maze hackers have made similar threats to several private-sector victims since launching the site this month, though Pensacola appears to be the first government target included.
“Represented here companies dont wish to cooperate with us, and trying to hide our successful attack on their resources,” a message at the top of the site reads. “Wait for their databases and private papers here. Follow the news!”
The intimidation tactic is not unique to Maze. According to security reporter Brian Krebs, hackers behind the Sodinokibi ransomware, the culprit in an August attack that hit 23 local governments in Texas, have also hinted at plans to out victims who do not pay. Brett Callow, an analyst at the cybersecurity firm Emsisoft, told StateScoop that the Maze hackers’ latest move is confirmation that Pensacola’s data was compromised.
[ransomeware_map]
“The group is using the stolen data as additional leverage to extort payment,” Callow said. “Whether the city pays or doesn’t pay, the end result is the exactly same: their data is in the hands of cybercriminals. Were the city to pay, it would simply have the criminals’ word that the data wouldn’t be released or that they wouldn’t attempt to extort money for a second time.”
Maze malware, which was first identified last May, is often delivered via spearphishing emails posing as government agencies like tax collectors or postal services, and has been seen in the United States, Italy and Germany. Callow said the Maze hackers’ escalation to releasing victims’ files into the wild should prod governments and other IT organizations to redouble their efforts to protect their networks.
“What this means is that prevention and detection are more critical than ever,” he said. “Once data has been stolen, there’s no way to get it back.”
Kaycee Lagarde, a spokeswoman for Pensacola, declined to comment on a state and federal investigation into the city’s ransomware incident. But she did say the city plans to issue a series of notifications to people who may have been affected by the theft of the data, including current and former employees, customers of municipal agencies and housing clients. The city will also offer those people one year of identity-protection services.
“Although we do not have confirmation that any personal data was compromised, we are making these notifications out of an abundance of caution and because we felt it was the right thing to do for our employees, customers and residents,” she said.
Lagarde said notifications will go out to nearly 60,000 people.