MaxLinear Suffers a Data Breach During a Maze Ransomware Attack
Traditionally, ransomware attacks tend to be rather noisy. While distributors of keyloggers and password stealers want to remain as stealthy as possible, ransomware operators often tend to tell the victim just how much trouble they've caused, and they usually do it shortly after they've broken in. As a recent attack against a hardware company by the name of MaxLinear shows, however, times are changing, and so are ransomware operations.
The IT systems of the publicly-traded company were first breached around April 15. For more than a month, the hackers remained silent, which was unusual, but on May 24, they deployed the Maze ransomware and encrypted some of MaxLinear's data. Yesterday, the hardware manufacturer filed an 8-K form with the Securities and Exchange Commission (SEC) and shed some more light on the attack.
MaxLinear says that it will pull through
After realizing what's going on, MaxLinear immediately pulled its entire infrastructure offline and hired a cybersecurity company to help with the investigation. Apparently, the security experts have more work to do before they can say what happened exactly, but according to the filing, some of the systems have already been restored, and the rest should follow suit soon. Obviously, recovering from the incident will cost money, but MaxLinear believes that the effects on its financial statement won't be that serious. Crucially, the company announced that it has "no plans" to comply with the cybercriminals' demands.
When large corporations are attacked, the ransom demands are pretty serious, and by refusing to pay the ransom, MaxLinear will likely save hundreds of thousands of dollars. We're sure the shareholders are pretty pleased about this, but under normal circumstances, there is another, more important aspect to not yielding to the hackers' extortion attempts. It usually means that the whole attack was a waste of time for the cybercriminals. Unfortunately, when the Maze ransomware is involved, this is not quite the case.
MaxLinear employee data was stolen
The hackers didn't sit idle between April 15 and May 24. Whilst inside MaxLinear's systems, they found and downloaded quite a lot of data, and they are now using it as a leverage for a second extortion attempt. Having seen that the company won't pay for the decryption of the files, the cybercriminals are now threatening to leak the information if the company doesn't play by their rules.
The threats started materializing on June 15. Bleeping Computer says that the Maze ransomware operators leaked about 10 GB worth of data through their website. The cybercriminals claim, however, that in total, they've stolen around 1TB of information, and they can either leak it or sell it whenever they want. This is bad news for MaxLinear employees because, unfortunately, it's their information we're talking about.
On June 10, several days before publishing the SEC filing, MaxLinear filed a data breach notification with California's Attorney General Office. The same notification has also been sent to some of the company's employees, and it informs them that a lot of their personal details were exposed during the Maze ransomware attack.
The letter doesn't say how many people were involved, but it does reveal what sort of data got stolen. The hackers accessed anything from names, email addresses, compensation and benefits information to driver's license numbers, Social Security numbers, and financial account numbers. Affected employees are eligible for credit monitoring and identity theft protection services paid for by the company, and we're pretty sure that many of them will take advantage of the offer. Even so, this will hardly be a pleasant experience for them.
Stealing data before encrypting it is a relatively new and a very sinister twist in the operation of a few major ransomware families, and because of it, the risk for companies is effectively two-fold. Up until now, the remediation process relied on nothing more than a good backup. Data exposure is irreversible, though, which means that potential targets need to be more careful than ever.