{
	"id": "0c107e97-3265-46b3-8f4e-b65f6d56f374",
	"created_at": "2026-04-06T00:18:36.007715Z",
	"updated_at": "2026-04-10T03:33:41.792545Z",
	"deleted_at": null,
	"sha1_hash": "0b14a728b279bf9f4d4ccf32ed2b4fc483355152",
	"title": "Maze Ransomware Demands $6 Million Ransom From Southwire",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 999306,
	"plain_text": "Maze Ransomware Demands $6 Million Ransom From Southwire\r\nBy Sergiu Gatlan\r\nPublished: 2019-12-12 · Archived: 2026-04-05 15:14:22 UTC\r\nMaze Ransomware operators claim responsibility for another cyber attack, this time against leading wire and cable\r\nmanufacturer Southwire Company, LLC (Southwire) from Carrollton, Georgia.\r\nSouthwire is one of North America's leading wire and cable makers, \"building wire and cable, utility products, metal-clad\r\ncable, portable and electronic cord products, OEM wire products and engineered products\" per a press release published in\r\nJanuary 2019.\r\nMaze Ransomware, a variant of Chacha Ransomware, was discovered by Malwarebytes security researcher Jérôme Segura\r\nin May. The malware strain has become increasingly more active starting with May 2019.\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-demands-6-million-ransom-from-southwire/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-demands-6-million-ransom-from-southwire/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nIts affiliates are also increasingly more notorious, with ProofPoint identifying one as the TA2101 threat actor after observing\r\nthem while conducting various malspam campaigns impersonating government agencies.\r\n$6 million ransom\r\nThe ransom demanded is 850 BTC, amounting to approximately $6 million. As customary in the case of Maze Ransomware,\r\nthe ransom note also says that company data has also been exfiltrated, ready to be published if the ransom is not paid.\r\nIn an email conversation with BleepingComputer, the group refuted rumors of a $9 million ransom that started on Reddit \r\nand also sent proof that Southwire data was downloaded from their servers.\r\n\"We would like to point out that we noticed this article here. Indeed that was our work, but they say the price is 9 millions\r\nUSD, this is not true,\" they said.\r\n\"We do not know who spreads this rumors, the actual price for their network is 850 BTC which is about 6 million USD. We\r\nhave attached some proofs of their data to this letter.\"\r\nOne of Southwire's employees working at the Rancho Cucamonga plant also shared the ransom note planted on the\r\ncompany's encrypted systems.\r\nSouthwire ransom note\r\nMaze ransomware's operators have recently claimed a number of other attacks including one against the City of Pensacola,\r\nFlorida, that came with a $1 million ransom, and another one that impacted security staffing firm Allied Universal that was\r\nasked to pay $2.3 million to have their network decrypted.\r\nThe Southwire ransomware attack\r\nSouthwire has been hit by the ransomware attack during early Monday and affected computing on a companywide basis.\r\nThe company's IT staff started getting affected systems back online one day later according to an Atlanta Business Chronicle\r\nreport. Southwire's website is still down at the time this article was published.\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-demands-6-million-ransom-from-southwire/\r\nPage 3 of 4\n\n\"We immediately self-quarantined by shutting down the entire network,\" Jason Pollard, vice president of Talent Acquisition\r\nand Communications for the wire manufacturer told the Chronicle.\r\n\"The incident did cause some disruption in our ability to make and ship our products,\" he also added. When asked if the\r\ncompany reported the ransomware incident to law enforcement agencies, Pollard stated that Southwire is \"considering all\r\navenues that may assist us with this investigation.\"\r\nThe safety of our employees, the quality of our products and our commitment to our customers are critically important to us.\r\nToday, we’re bringing critical systems back online, prioritizing manufacturing and shipping functions that enable us to\r\ncreate and send product to our customers. We are dedicated to restoring all systems and bringing all of our employees back\r\nto work as safely and as quickly as possible. - Pollard\r\nSouthwire has more than 7,500 employees and it had a revenue of $6.1 billion in 2018, topping the previous $5.5 billion\r\nfrom 2017. The wire manufacturer is also on Forbes’ list of America's largest private companies.\r\nBleepingComputer also reached out to Southwire for additional details regarding the attack but had not heard back at the\r\ntime of this publication. This article will be updated with updated info when a response is received.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/maze-ransomware-demands-6-million-ransom-from-southwire/\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-demands-6-million-ransom-from-southwire/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/maze-ransomware-demands-6-million-ransom-from-southwire/"
	],
	"report_names": [
		"maze-ransomware-demands-6-million-ransom-from-southwire"
	],
	"threat_actors": [
		{
			"id": "e9f85280-337c-4321-b872-0919f8ef64a6",
			"created_at": "2022-10-25T16:07:24.261761Z",
			"updated_at": "2026-04-10T02:00:04.914455Z",
			"deleted_at": null,
			"main_name": "TA2101",
			"aliases": [
				"Gold Village",
				"Maze Team",
				"TA2101",
				"Twisted Spider"
			],
			"source_name": "ETDA:TA2101",
			"tools": [
				"7-Zip",
				"Agentemis",
				"BokBot",
				"Buran",
				"ChaCha",
				"Cobalt Strike",
				"CobaltStrike",
				"Egregor",
				"IceID",
				"IcedID",
				"Mimikatz",
				"PsExec",
				"SharpHound",
				"VegaLocker",
				"WinSCP",
				"cobeacon",
				"nmap"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8",
			"created_at": "2023-01-06T13:46:39.071873Z",
			"updated_at": "2026-04-10T02:00:03.203749Z",
			"deleted_at": null,
			"main_name": "TA2101",
			"aliases": [
				"GOLD VILLAGE",
				"Storm-0216",
				"DEV-0216",
				"UNC2198",
				"TUNNEL SPIDER",
				"Maze Team",
				"TWISTED SPIDER"
			],
			"source_name": "MISPGALAXY:TA2101",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434716,
	"ts_updated_at": 1775792021,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b14a728b279bf9f4d4ccf32ed2b4fc483355152.pdf",
		"text": "https://archive.orkl.eu/0b14a728b279bf9f4d4ccf32ed2b4fc483355152.txt",
		"img": "https://archive.orkl.eu/0b14a728b279bf9f4d4ccf32ed2b4fc483355152.jpg"
	}
}