Day: January 30, 2020

The Maze ransomware ring has taken extortion to new heights by publicly posting breached data on the Internet—and threatening full dumps of stolen data if the ring’s “customers” don’t pay for their files to be unencrypted. But the group appears to be making one exception: the City of Pensacola, which was hit by Maze ransomware in December.

On the group’s website, the administrator of Maze’s ransomware operations posted:

We are going to make a gift to City of Pensacola: we will not publish leaked private data, but we publish the list of leak data and hosts to proof [sic], that we did it, we really hacked City of Pensacola.

Just before Christmas, the Maze operators had posted 2GB of data from the city’s systems, claiming it was only 10 percent of what had been stolen from systems before the attackers launched their ransomware attack. But the files were then removed, with only directory data, computer names, and IP addresses left on the site as proof of compromise. Based on the Maze site, 28 servers were hit by the attack.

Others have not been so lucky. The Italian foods company Fratelli Beretta had all the data exfiltrated from 53 systems (a total of 3GB) posted online by Maze. And more recent victims have had smaller dumps posted. Stockdale Radiology, a radiology clinic in Bakersfield, California, had screenshots of affected systems and data from the clinic’s fax server posted—including patient data transmitted from another MRI clinic. Ars reached out to Stockdale Radiology for comment but got no response.

About 25 other victims are listed on Maze’s site, with smaller “proof” data sets posted that include customer information. Victims include:

• Busch’s Inc., a grocery market chain in Michigan
• BST & Co., a certified public accountancy firm in Albany
• Lakeland Community College in Kirkland, Ohio
• The social media and public relations unit of Orlando-based company Massey Services

According to Emsisoft threat analyst Brett Callow, one recent dump of a Canadian company’s data included employee “names, home addresses, social insurance numbers, tax forms, earnings details, health insurance numbers, banking information, drug test results, etc.”. The company failed to notify employees of the breach.

None of these breaches have been reported publicly by their victims. “The lack of disclosure obviously means that customers/clients/vendors/partners do not know that their data is now in the hands of cybercriminals and can be downloaded by anybody with an Internet connection,” Callow told Ars. “And that means they do not know that they should set up credit monitoring, notify their financial institution, be on the lookout for scams or spear phishing attempts.”

The Maze crew is not the only ransomware operation now using stolen data as additional leverage to get victims to pay up. The REvil/Sodinokibi ransomware ring has also threatened to reveal data of victims who don’t pay, including the travelers’ financial service provider Travelex. And other attackers may also be stealing data and using it in much more subtle ways to extort their victims.

The maker of Purell hand sanitizers is washing away some unproven marketing claims that its products reduce school absenteeism and prevent infections from germs such as Ebola, norovirus, flu, and certain drug-resistant infections.

The marketing disinfection comes after the Food and Drug Administration issued

a warning letter

to Purell’s parent company, GOJO Industries. The letter, dated January 17 and released this week, stated that the company’s claims violated federal regulations and that the agency now considers Purell hand sanitizers unapproved new drugs.

The FDA also noted that it is “unaware of any adequate and well-controlled clinical trials in the published literature that support” GOJO’s claims.

The agency noted that the dubious marketing claims appeared in a variety of places on GOJO’s product websites, including FAQ pages, blogs, and social media pages. Among the questionable claims are that Purell sanitizer:

• “kills more than 99.99% of most common germs that may cause illness in a healthcare setting, including MRSA [methicillin-resistant Staphylococcus aureus] & VRE [vancomycin-resistant enterococci]”
• “can reduce student absenteeism by up to 51%… Additionally, teachers who follow this program also experience a 10% reduction of absenteeism.”
• “may be effective against viruses such as the Ebola virus, norovirus, and influenza.”

While alcohol-based sanitizers have been shown to effectively kill many germs, that finding is different from data indicating that sanitizer use reduces infections and the spread of disease.

On an FAQ page, GOJO also says that “the World Health Organization (WHO) and the Center for Disease Control and Prevention (CDC) are recommending the use of alcohol-based hand sanitizer as a preventive measure for flu prevention.”

But it should be noted that the WHO and the CDC emphasize hand washing as a primary method to prevent the spread of influenza (aside from vaccination). The CDC only recommends using hand sanitizer “if soap and water are not available.” Some data suggests that hand washing is more effective at preventing spread of the flu than using sanitizers. And a study in 2018 suggested that certain bacteria may develop tolerance to alcohol-based sanitizers over time.

In a statement, GOJO’s corporate communications senior director, Samantha Williams, said:

GOJO took immediate action to respond to FDA claim requirements after receiving a warning letter from the agency on January 17. The letter was related to some of our marketing around Purell Hand Sanitizer on GOJO.com and through our social media platforms.

It is important to emphasize that the FDA letter was not related to the safety or quality of our products, or our manufacturing processes.

Some of the problematic statements on GOJO’s sites have since been removed, though the company still says that the WHO and CDC recommends hand sanitizer without mentioning hand washing. Williams’ statement went on to say that GOJO has “begun updating relevant website and other digital content as directed by the FDA and are taking steps to prevent a recurrence.”