On May 5, it has been reported that Brett Callow, the threat analyst of Emsisoft, has said that Maze recently took credit for hacking a plastic surgeon named Kristin Tarbet. They also claim to have hacked the Ashville Plastic Surgery Institute.
However, he explained that in Tarbet’s case, the hackers have already leaked highly sensitive data.
“The data that has been posted included names, addresses, social security numbers as well as what appears to be before and after photos and photos taken during surgical procedures. The Maze group typically start by posting only a small amount of the data that was exfiltrated — it’s the equivalent of a kidnapper sending a pinky finger — so they may well have more data than has already been published.”
Callow explained that many ransomware incidents are caused by basic security failings, which include easy-to-crack credentials or unpatched remote access systems.
“Organizations should focus more on cybersecurity since Maze uses a combination of strategies in order to gain access to networks including [Remote Desktop Protocol] exploitation, phishing, and spear-phishing.”
Crypto ransomware group hacks two plastic surgeon’s studios https://t.co/Oa77Cunlvb — Cointelegraph (@Cointelegraph) May 6, 2020
It has been analyzed that when it comes to the ransom requested by the hackers, he said that it cannot be known, but past attacks could serve as a guide.
“Only the criminals and the plastic surgeon will know the amount of the demand. In a previous case, Maze claimed their demand was $2 million: $1 million to decrypt the victim’s data and an additional $1 million to destroy the copy of it.”
Similarly, when it comes to the Ashville Plastic Surgery Institute, the published data includes patient names, dates of birth, insurance details, patients’ implant order forms, before and after photos, and Internal documents like income statements.
“This data dump is simply an initial warning shot. Should the company not pay, more data may be published.”
Also, Callow said that this is not the first time that the group has attacked two targets in the same industry. Maze’s victims often reside in the same geographic location or operate in the same industry.
However, Maze claimed that there is a reason behind those instances in a statement by saying:
“We don’t need to use phishing attacks and slowly move from one target to another as we have the access to the hosting provider.”
Thus, Ransomware groups have started threatening to leak victim’s sensitive information if they are not paid.