An insurance and financial services company based out of Manitoba, Canada is the latest victim of the Maze Ransomware with allegedly 245 computers encrypted during a cyberattack in October.
The victim, Andrew Agencies. is a full-service insurance company with 125 employees and 18 locations based out of Manitoba, Saskatchewan, and Alberta, Canada.
According to emails sent to BleepingComputer from the operators of the Maze Ransomware, Andrew Agencies was attacked on October 21st, 2019 when the attackers breached their network and encrypted 245 computers.
As “proof” of the attack, Maze sent BleepingComputer a list of 245 encrypted computers, their IP addresses, computer names, and sizes of the data encrypted by the ransomware. Based on the encrypted sizes listed in this proof, the Maze Ransomware states they have encrypted a total of 63 terabytes of data.
The operators have also released a text file containing a list of 876 user names and hashed passwords for users on the network.
Maze told BleepingComputer that the ransom amount was $1.1 million, or 150 bitcoins, at the time of the attack and that Andrew Agencies was originally in communication with them, but then stopped responding.
“They are really good canadian guys, but they have disappeared. They came up to decision that they should buy decryptor and asked us for time as they are collecting money,” the Maze operators told BleepingComputer via email.
Maze stated that their deadline for paying the ransom under threat of the company’s data being published was at the end of November. While the data has not been publicly released as of yet, Maze is known for following through with these threats as seen by Maze’s attack on Allied Universal.
Dave Schioler, the Executive Vice President & General Counsel for Andrew Agencies, confirmed that they had been in communication with the attackers while conducting an investigation.
In a statement released today, Schioler states the company has chosen not to pay the ransom and that there is no evidence that any sensitive personal information or data has been stolen.
“At this time, Andrew Agencies can confirm that it has recently dealt with a security breach incident involving ransomware. Our data and that of our customers and employees is of the utmost importance to us. We have taken this matter very seriously and have expended considerable resources in the investigation and remediation of this incident, including the use of third parties with expertise in similar incidents. We have put in place any and all steps necessary for remediation.
We also wish to emphasize that as a result of our investigation, we have uncovered no evidence of sensitive personal information or data being stolen or otherwise compromised. While we are not at liberty to share the particulars of the investigation with you, we can advise that the incident has had minimal impact on our operations. Andrew Agencies did not pay a ransom as part of the recovery effort.
We are confident with our operating status and security, and we therefore do not intend to be providing further commentary on this matter.”
This statement, though, is disputed by the Maze operators who told us that they stole 1.5GB of data “about insurance customers.”
No proof of these stolen documents has been shared with BleepingComputer at this time.
BleepingComputer has sent followup questions regarding the stolen data to Andrew Agencies, but have not heard back at this time.
Ransomware attacks are becoming data breaches
The actors behind the Maze Ransomware have upped the ante when it comes to ransomware attacks by releasing stolen data if a ransom has not been paid.
As we have said numerous times, it is not unknown for attackers, including ransomware actors, to steal data or snoop through a company’s files before encrypting them.
Maze, though, has been the only threat group that has released files when a victim chooses not to pay a ransom.
This has led to another high profile ransomware group called REvil, or Sodinokibi, to follow in their footsteps.
When ransomware actors release a company’s data, this attack becomes a data breach that will require government and customer notifications and the potential of lawsuits for exposed data.