The Maze ransomware gang has screwed up by targeting a New York design and construction firm instead of the Canadian Standards Association it was intending to hit.
While Google returns plenty of hits for the search term “csa group”, almost all of which refer to Canada’s answer to the British Standards Institute, there is one exception: an architectural practice located in New York.
It happens to share a name and – almost – a web domain name with its northerly namesakes, being online at csagroup-dot-com. The Canadian standards folk, however, have the domain csagroup-dot-org. And just like that, the New Yorkers got caught in the ransomware crossfire when the Maze gang began hunting for their next target.
Maze’s modus operandi is to infect the target company’s network with ransomware, exfiltrate and encrypt everything within sight, then demand a hefty ransom in return for a promise to unencrypt and delete the data, along with a promise not to reveal the stolen data to others. If companies don’t pay up, the gang begins drip-feeding data online to increase the pressure on them.
Brett Callow, a threat researcher with infosec biz Emsisoft, spotted the Maze gang’s howler after inspecting data they dumped online to try to menace CSA Group Canada into paying up. He told The Register: “This is not the first time ransomware cockwombles have cocked up. In a previous incident, DoppelPaymer incorrectly identified a bank after hitting another bank with a very similar name. But at least they had the decency to post an apology to the wrongly named financial institution.”
Posh Spice’s perfume people pop up in Maze ransomware gang extortion effort
Callow told us that when he checked a data sample dumped online by Maze he found documents referring to the design and construction of buildings in the US island enclave of Puerto Rico. Some files appeared to have been sent from csagroup-dot-com email addresses – pointing to the architects being the actual victims of the ransomware rather than the Canadian standards-setting agency.
Emsisoft’s man opined that “work pressures” had driven Maze’s operatives into making the blunder as the COVID-19 pandemic burns companies’ ready cash and deprives them of the ability to pay ransoms, saying: “In fact, the group hinted at this in one of their so-called press releases stating, ‘We are living in the same economic reality as you are. That’s why we prefer to work under the arrangements and we are ready for compromise.'”
Echoing El Reg‘s sentiments, Callow added: “My heart bleeds.”
So far Maze’s leaks website continues to name the wrong firm next to the data dump.
The Register has continued to try to contact CSA Group (the New York architects), which is proving difficult as the firm has pulled its website offline and appears to be an infrequent user of its social media profiles. We have also contacted the Canadian standards agency for comment. ®
Sponsored: Ransomware has gone nuclear
Follow me for more information.