Maze Ransomware operators published data from LG and Xerox

Pierluigi Paganini August 04, 2020

Maze ransomware operators published internal data from LG and Xerox after the company did not pay the ransom.

Ransomware crews are very active during these months, Maze ransomware operators have published tens of GB of internal data allegedly stolen from IT giants LG and Xerox following failed extortion attempts.

Maze ransomware operators published 50.2 GB from LG’s network and 25.8 GB from Xerox.

In June, researchers at threat intelligence firm Cyble discovered a data leak of LG Electronics published by Maze ransomware operators.

As usual, the Maze ransomware operators threaten the victims to pay the ransom to avoid their data being leaked online. A few days ago the group released a press release in which they warned the companies to not try to recover their files from their backup, it also announced the forthcoming LG Electronics data leak.

At the time, the Maze ransomware operators only released three screenshots as proof of the data breaches on the Maze ransomware leak site:

Researchers from ZDNet who analyzed the leaked data confirmed that it included source code for the firmware of various LG products, including phones and laptops.

“In an email in June, the Maze gang told ZDNet that they did not execute their ransomware on LG’s network, but they merely stole the company’s proprietary data and chose to skip to the second phase of their extortion attempts.” read a Maze’s statement reported by ZDNet.

“We decided not to execute [the] Maze [ransomware] because their clients are socially significant and we do not want to create disruption for their operations, so we only have exfiltrated the data,” the Maze gang told ZDNet via a contact form on their leak site.

Maze ransomware operators have also breached the systems of the Xerox Corporation and stolen files before encrypting them.

The company did not disclose the cyberattack, but early June the Maze ransomware operators published some screenshots that showed that a Xerox domain has been encrypted. One screenshot showed that hosts on “,” managed by Xerox Corporation, was hacked.

Another screenshot demonstrated that the ransomware operators were in the Xerox network till June 25th, 2020.

Xerox Corporation is an American corporation that sells print and digital document products and services in more than 160 countries. The company declared over $1.8 billion in revenue in Q1 2020 and has 27,000 employees across the globe. It’s currently tracking at 347 of the Fortune 500 list.

On June 24, Maze ransomware operators included Xerox in the list of the victims published on their leak site.

Anyway, it is still unclear the extent of the attack, what internal systems have been encrypted by Maze gang and which files have been exfiltrated.

Experts from threat intelligence company Bad Packets speculated that both company were hacked by exploiting the known CVE-2019-19781 vulnerability in Citrix ADC servers they were running.  Bad Packets experts discovered that both organizations were running unpatched servers that could have been the entry point of the attackers.

In the past months Maze Ransomware gang breached the US chipmaker MaxLinear and Threadstone Advisors LLP, a US corporate advisory firm specialising in mergers ‘n’ acquisitions.

Maze operators were very active during the past months, they have also stolen data from US military contractor Westech and the ST Engineering group, and they have released credit card data stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week.

Previous victims of the ransomware gang include IT services firms Cognizant and Conduent.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment