The Maze ransomware operators have, over the past several weeks, been refining a tactic that has now been formalised in a public-facing leak site. Allied Universal, a US security-services company that was hit by Maze in late October and has refused to pay the ransom, has had approximately 700 megabytes of internal documentation published on the Maze operators' "news" site this week (Bleeping Computer reporting on the Maze leak site, November 21). The operators' message attached to the publication makes the operational logic explicit: data has been exfiltrated as well as encrypted, refusal to pay the ransom will be answered by progressive publication of exfiltrated data, and the leak is therefore a pressure mechanism applied against the victim's ransom decision.
This formalisation matters strategically. The pre-2019 ransomware model was straightforward: encrypt the victim's data, demand payment for the decryption key, the victim's decision is governed by the cost-benefit calculation between paying the ransom and recovering from backups. The defensive response was correspondingly straightforward: maintain robust offline backups, refuse to pay, recover. The Norsk Hydro case in March was the worked example of the right execution of that defensive posture.
The Maze pattern changes the calculation. Encryption is one half of the operational pressure; data publication is the other. A victim with robust backups can recover operationally without paying the ransom, but cannot prevent the publication of exfiltrated data once the data has been taken. The ransom decision is therefore reframed: paying the ransom now buys not (or not only) decryption keys, but a probabilistic commitment from the operators to refrain from publishing the exfiltrated data. The probabilistic nature of that commitment is the unresolved part of the new model — the operators have a continuing-business incentive to honour the commitment to maintain the credibility of future ransom demands, but no enforceable obligation. The victim is paying for the operators' reputational interest in continued credibility, not for any verifiable delivery.
The defensive response to the Maze pattern is more difficult than the pre-Maze response. The architectural defences against encryption (backups, segmentation, recovery procedures) remain valid but are insufficient. The defences against data exfiltration are the ones that matter, and those defences have to be in place before the incident — they cannot be retroactively applied. The customer-organisation programme work that has been investing in data-loss-prevention controls, in network-traffic analytics for unusual exfiltration patterns, and in privileged-access monitoring is the work that produces value against the Maze model. The customer organisations that have invested less heavily in those controls are now exposed to a coercion mechanism that the pre-Maze threat-model conversations did not adequately price.
For the customer briefings this week, the Maze pattern is the most consequential development of the autumn. The ransomware-incident-response playbooks across the customer portfolio are being updated to incorporate the data-publication scenario. The decision-tree for ransom payment, which has historically defaulted to "no" with limited exceptions, now has to incorporate a more nuanced analysis of the data-exfiltration component: what was taken, what is the consequence of publication, what is the legal and regulatory exposure of publication, and what is the probability calculation on operator delivery if the ransom is paid. The conversations with customer-organisation legal counsel about ransom-payment frameworks are more complicated than they were three months ago.
For our SOC operation, the detection priority for the next quarter is data-exfiltration patterns specifically. The EmilyAI engineering team has been working on a feature for the v2.x product roadmap that addresses unusual data-egress patterns from customer-organisation networks; the Maze pattern accelerates the priority of that feature. The integration with customer-side DLP tooling and with cloud-native-egress monitoring (CASB-style controls) is the principal architecture for the new detection content.
The wider strategic point is that the ransomware threat is, in 2019, structurally different from what it was in 2017 (WannaCry-and-NotPetya era). The targeted-rather-than-mass-spread shift through 2018 produced more carefully-selected victims with higher per-victim ransom demands. The Maze leak-pattern shift in late 2019 adds a coercion mechanism that addresses the principal defence (backups) of the 2017-era model. The next iteration — and there will be one — will add further mechanisms; the operators are running a sustained development cycle against the defenders' adaptations. The defensive posture has to be continuously evolving against a continuously evolving threat.
I will return to this through 2020. The ransomware story is not, in 2019, settling; it is escalating in operational sophistication.