Cybercrime , Fraud Management & Cybercrime , Ransomware

Ransomware Gang Posting Financial Details From Bank Attack

Maze Started Releasing Payment Card Data From Costa Rican Bank This Week
Ransomware Gang Posting Financial Details From Bank Attack

The Maze ransomware gang has started releasing payment card data from an attack that happened earlier this year at Banco BCR, the state-owned Bank of Costa Rica, according to several cybersecurity experts.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

In a post to its darknet portal website, the operators of Maze announced on Thursday that they planned to start releasing payment card data related to the ransomware attack at Banco BCR, according to security firm Emsisoft, which shared the posting with Information Security Media Group.

"We apologize in front of all clients of Banco BCR and all those who were using its services for publishing your personal data. We regret that Banco BCR and regulators don't care about their clients and their personal date," according to the post.

On Friday, security firm Cyble published a report from its researchers that confirmed a 2 GB CSV file posted by the gang contained data from Banco BCR. This included details such as MasterCard and Visa credit card numbers as well as debit card numbers.

On May 1, BleepingComputer first reported that Maze had attacked Banco BCR, encrypted data and stole files. At the time, the gang claimed it was in possession of some 4 million unique payment card numbers, including 140,000 allegedly belonging to U.S. customers.

In an earlier post to its darknet site that ISMG has seen, Maze claims to have first gained access to the bank's internal networks in August 2019. The ransomware operators told BleepingComputer that they regained access in February but held off attacking and encrypting data due to the COVID-19 pandemic.

The Maze gang has claimed that they attempted to contact Banco BCR representatives about the ransomware attack, but have not heard back. There is no information about the breach posted on the bank's website and a spokesperson could not be immediately reached for comment.

The history of Banco BCR dates back to the late 1870s, when the bank was founded. Banco BCR currently manages about $7 billion in assets, according to its website.

Ongoing Ransomware Attacks

Over the past several months, the operators of Maze have turned into one of the more prolific ransomware gangs. This includes attacks directed against Switzerland-based global insurance firm Chubb, and IT services and consulting giant Cognizant - although the gang has denied involvement in that particular incident.

In addition, Maze was one of the first ransomware gangs to start leaking data when its targets did not negotiate with the gang or did not come up with enough money to satisfy the ransom demands (see: Crypto-Lock and Tell: Ransomware Gangs Double Down on Leaks).

Maze first started this trend of publishing its targets' data in November 2019 and other cybercriminal groups, including DoppelPaymer, MegaCortex, Nemty, Snatch and Sodinokibi, aka REvil, have followed.

Brett Callow, a threat analyst with Emsisoft who has been following these developments, says that Maze's recent release of customers' payment card data from Banco BCR is another example of cybercriminals weaponizing the information that they have stolen.

Maze's announcement about Banco BCR

"Like other groups, Maze now weaponizes the data it steals," Callow tells ISMG. "The information is no longer simply published online; it’s used to harm companies' reputations and attack their business partners and customers."

In this most recent security incident with Banco BCR, Callow says the gang is trying to portray itself as doing a service by calling attention to the bank not protecting its network, but that's not the real issue.

"The Maze group is a for-profit criminal enterprise who are out to make a buck," Callow says. "The credit card information has been posted for one of two reasons: Either to pressure BCR into paying and/or to demonstrate the consequences of non-compliance to their future victims."

Over the last two weeks, the operators of the REvil ransomware have adopted similar strong-arm tactics by threating to release legal documents and other data from a high-powered New York law firm that represents several A-list celebrities (see: Hacked Law Firm May Have Had Unpatched Pulse Secure VPN).

Managing Editor Scott Ferguson contributed to this report.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.