“Maze” Ransomware Actors Compromised Large IT and Aerospace Companies

• The Maze ransomware groups are unstoppable, hitting another two large organizations.
• Conduent and VT SAA are the latest victims of the Russian hackers, suffering catastrophic data breaches.
• Maze has been very active and successful since the beginning of the year, managing to break in intranets by exploiting bugs.

Two groups of Russian actors deploying the “Maze” ransomware have just pinned another two medals on the RaaS’s uniform. Just yesterday, it was revealed that they managed to compromise the systems of Conduent, a critical IT services provider who reported $4.5 billion in revenues in 2019. The other case concerns “VT San Antonio Aerospace” (VT SAA), a specialist in aircraft maintenance, repair, and overhaul, who has a presence in 100 countries. Both targets are large entities that can’t afford a disruption of operations, so these incidents highlight Maze’s power once more.

In the case of Conduent, the breach occurred on May 29, 2020, and the firm managed to get its systems back into normal operating status within nine hours. While the disruption for Conduent clients was kept at a minimum, the Maze team managed to steal data that they are now using for extortion. According to Cyble, the data that has been leaked includes insurance documents, vehicle lease details, audit discussion results, and other sensitive internal information.

The VT SAA breach happened back in April 2020 and was revealed now after data from that incident started to come out too. The Maze team that attacked VT SAA stole 1.5 TB of data, including confidential and precious defense technology and system details. The first samples that were shared on the dark web concern insurance documents, contract calculation worksheets, NASA review rules, and various other unencrypted data.

As for how the attack happened, VT SAA got breached remotely and through a compromised administrator account. Then, the actors took over the default Domain Admin account and gained control of the intranet servers and file servers. By March 7, 2020, they had stolen everything and began the encryption of the files locally. The aerospace engineering firm recovered the files within three days, but the exfiltration damage had already happened.

The Maze ransomware remains one of the nastiest RaaS (ransomware as a service) operations out there, hitting multiple large organizations every week. Only a couple of days ago, we reported the breach of “Westech International” and the stealing of confidential information on US intercontinental ballistic missile systems. In May, a group of actors using the Maze ransomware compromised Banco BCR, stealing 11 million credit card records and various other sensitive information. In March, Maze locked down Chubb’s systems, putting the cybersecurity insurance company in freeze mode and introducing a large dose of irony in their business operations. Interestingly, a contract with Chubb has also leaked as part of the VT SAA breach now.