Lost In The maze? The ‘Maze’ Ransomware Targeting Law Firms

If you haven’t heard of the Maze Group cyber security risk, you won’t be alone. Almost all of their malicious efforts have centred on businesses in the US in recent months. So far, they have infected computer systems in a range of companies including least five law firms in South Dakota, Texas, and Oregon. But precisely who are the Maze Group and do UK law firms have anything to be concerned about?

Who are Maze?

Maze is a ransomware software and hacking group. Both the FBI and the French authorities have issued formal warnings relating to the “Maze ransomware and attacker group TA2101”. Maze are particularly virulent in that they have a two-pronged approach to their attacks; they encrypt the data, making access impossible for victims, then publish the names of the companies they have breached, and later release small amounts of stolen data if victims do not pay their ransom. In the case of cable manufacturer, Southwire, which was breached by Maze in December 2019, a large amount of data was made public (of the 120GB stolen) on a Russian hacking forum after they refused to pay $6m in bitcoins. And if that wasn’t enough, to force payment, Maze say they will release 10% more data each week until payment is made. As such, the modus operandi of Maze is clear – is to steal vast amounts of sensitive data then coerce victims to pay large ransom amounts.

According to Brett Callow, a cyber security analyst with security vendor Emisoft, the approach of publishing target company names and releasing only small amounts of proof data “makes sense. The more data they publish and the more sensitive that data is, the less incentive an organisation has to pay to prevent the remaining data being published,” said Callow. It’s the equivalent of a kidnapper sending a pinky finger. If the organisation still doesn’t pay, the remaining data is published, sometimes on a staggered basis.”
By targeting healthcare and legal businesses, they clearly understand that data held by such entities is particularly sensitive and can land them with huge reputational ramifications and fines by regulatory bodies.

In some cases, Maze will ask for two amounts of money, one to decrypt data (thereby allowing it to be accessed), and another to destroy the data they have stolen.

What do we know about Maze’s intentions for law firms?

It is clear that the legal sector is on the radar of the Maze group. Interestingly, it is believed they are targeting smaller law firms who lack the financial resources to implement robust cyber security capability (firms with typically no more than 30 fee-earners). So far US law firms including Bangs McCullen, Lynn, Jackson, Shultz & Lebrun, Baker Wotring, Hamilton & Naumes, and Costello Porter have been compromised. Ransoms of the scale being demanded by Maze (often in the millions) have the potential to bankrupt even large law firms from which they may never recover.

Most recently, a “full dump” of the data stolen from Baker Wotring was made public by Maze. This included, “pain diaries from personal injury cases, fee agreements, HIPPA consent forms and more”.

What is known is that systems are being infiltrated through email, using malicious attachments which, once opened, go on to wreak havoc within internal systems. In the case of law firms, Mr Callow believes that it is most likely the Maze Group are carefully crafting emails which lawyers are likely to open.

Will Maze be a problem for UK law firms?

Possibly. Maze has already infiltrated French construction company Bouygues Construction and to other companies in the EU (including in Italy). Indeed, some sources believe that UK businesses have already been hit. That said, the problem isn’t the Maze group, it is the type of threat it represents for law firms. Copy-cat attacks may see other malicious groups seeking to steal sensitive data and use public leaking and naming and shaming tactics to force the hand of their victims. Given the nature of the highly personal and confidential data held by many law firms, this danger of this is self-evident.

Final words

Cybersecurity experts are now seeing two common types of cyber crime are being combined for greater effect – ransomware and data exfiltration (i.e. the theft of data). Quite whether such tactics will succeed in the long run remains to be seen. Perhaps some businesses will take the view that if a breach has occurred, they must inform the relevant information authorities anyway, and hence the damage is already done.

UK law firms should make themselves as ready as possible for the use of such tactics. As we have established, malicious entities such as the Maze Group have been targeting smaller law firms in the US lacking sufficient cyber deterrence. As their chosen method is through the relatively low-tech method of infected email attachments, implementing robust processes, updating firewall technology, and installing software to mitigate against such risks should be relatively low cost and straightforward for any law firm.