MANASSAS, Va.—Hackers from a criminal organization called Maze have allegedly stolen data from a company that does collections for credit unions and have posted some of it online.
The company, CU Collections, is based in Manassas, Va.
Brett Callow, threat analyst at security firm Emsisoft, was first to bring the alleged breach to the attention of CUToday.info. Callow said the stolen data he has seen includes sensitive information relating to members CU Collections is reaching out to, including home addresses, Social Security numbers, work and cell phone numbers, member numbers, and other information related to the file in collection
Callow said the criminal organization has been attacking numerous businesses recently, including law firms.
“Hackers claim to have stolen data from at least five law firms—three in the last 24 hours alone—and in two of the cases a portion of the stolen data has already been posted online. The data has been published on the clear web, where it can be accessed by anybody with an Internet connection,” according to Callow, noting that is the case with the CU Collections information.
A New Tactic
Callow further alleged Maze is now taking a new step in ransomware attacks, where criminals may or may not encrypt a company’s data and ask for money. In this case, the hackers threaten to publish the information unless the company pays. The price tag can often be in the seven figures, Callow said.
“The group’s modus operandi is to initially name the companies they’ve hit on their website and, if that doesn’t convince the companies to pay, they publish a small amount of their data—proofs,” explained Callow. “This makes sense. The more they data they publish and the more sensitive that data, the less incentive an organization has to pay to prevent the remaining data from being published. It's the equivalent of a kidnapper sending a pinky finger. If the organization still doesn’t pay, the remaining data is published, sometimes on a staggered basis.”
If a company does pay, its name is removed from Maze’s website, according to Callow.
Million-Dollar Charges
“In some cases the group has charged $1 million to decrypt the victim’s data, and $1 million to delete the stolen copy—supposedly delete it, anyway. It seems highly unlikely that a criminal enterprise would ever delete data that it may be able to monetize at a later date,” he said.
“Ransomware groups started stealing data at the tail end of last year,” Callow continued. “Prior to that, they had only encrypted it. They then use the threat of its release as additional leverage to extort payment. We warned about this development last month.”
CUToday.info reached out to CU Collections, but the company did not comment by press time.
“It’s shocking how few companies disclose these incidents,” said Callow. “Who knows where your data may be.”