FBI warns U.S. companies about Maze ransomware, appeals for victim data

The advisory comes amid a new urgency in the bureau to deal with a problem that just won't go away.
FBI seal

The FBI is warning U.S. companies about a series of recent ransomware attacks in which the perpetrator, sometimes posing as a government agency, steals data and then encrypts it to further extort victims.

In an advisory to the private sector last week, the FBI called for vigilance to combat the so-called Maze ransomware, which the bureau said began hitting U.S. organizations in November.

“From its initial observation, Maze used multiple methods for intrusion, including the creation of malicious look-a-like cryptocurrency sites and malspam campaigns impersonating government agencies and well-known security vendors,” states the advisory obtained by CyberScoop.

“In a late November 2019 attack, Maze actors threatened to publicly release confidential and sensitive files from a US-based victim in an effort to ensure ransom payment,” the advisory says, without naming the victim.


Maze is but one of an array of different strains of ransomware to emerge in recent years, a scourge with which companies and state and local governments have struggled to contend. This particular hacking tool caught the attention of security researchers last fall, when it was used in a scheme to dupe people in the U.S., Italy, and Germany into installing malware on their computers. Last month, the Maze perpetrators gained more notoriety when they published data supposedly stolen from the City of Pensacola, Florida, to pressure the city into paying a ransom.

“The combination of the theft and encryption of data will feel like a one-two punch for victim organizations,” said Charles Carmakal, senior vice president at Mandiant, the incident response arm of cybersecurity company FireEye. “Organizations may feel more coerced to pay the threat actors because they may feel it’s the best option to prevent the disclosure of sensitive information.”

The FBI “Flash”— a document the bureau periodically sends to U.S. companies to alert them to hacking activity — offers technical indicators to detect Maze ransomware and asks victims to provide information that could help track the hackers. The bureau requests things like bitcoin wallets used by the hackers and the complete phishing email they sent to the victim.

The request for victim data related to Maze aligns with a new FBI offensive against ransomware that taps a wealth of data held by corporate victims. Last September, for example, the FBI held an unprecedented, closed-door summit on ransomware with private sector experts to get a handle on the problem.

Ransomware experts told CyberScoop that the Maze perpetrator’s strong-arming tactics are a sign of things to come.


“We expect to see an increasing trend of threat actors stealing sensitive data from victim organizations before encrypting the data in the victim environments,” said Carmakal, who has helped companies respond to network intrusions carried out by the Maze hackers.

Allan Liska, a ransomware expert at threat-intelligence company Recorded Future, echoed that point, predicting that the Maze perpetrator’s aggressiveness and brazenness will inspire copycat actors.

The willingness to both exfiltrate data and hold it for ransom “completely changes the nature of a ransomware incident-response investigation and how organizations, especially those with reporting requirements, have to view a ransomware attack,” Liska told CyberScoop.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts