{
	"id": "c45af589-691f-4d4f-9c5d-19fa9e5ba7de",
	"created_at": "2026-04-06T00:14:21.804087Z",
	"updated_at": "2026-04-10T13:13:04.616167Z",
	"deleted_at": null,
	"sha1_hash": "764d85b2af71ed9e088e75628c64143cb192b408",
	"title": "Maze Ransomware Not Getting Paid, Leaks Data Left and Right",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1681672,
	"plain_text": "Maze Ransomware Not Getting Paid, Leaks Data Left and Right\r\nBy Ionut Ilascu\r\nPublished: 2020-01-23 · Archived: 2026-04-05 21:05:11 UTC\r\nMaze ransomware operators have infected computers from Medical Diagnostic Laboratories (MDLab) and are releasing\r\nclose to 9.5GB of data stolen from infected machines.\r\nThe actor also followed through with leaking an additional cache of files belonging to another of its victims that did not pay\r\nthe ransom, Southwire, a wire and cable manufacturer from Carrollton, Georgia.\r\nThis action was prompted by the company's refusal to pay a ransom of 200 bitcoins (a little over $1.7 million today) that\r\nwould buy from the attacker the file decryption key from the attacker and the promise to destroy the data.\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-not-getting-paid-leaks-data-left-and-right/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-not-getting-paid-leaks-data-left-and-right/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nBetween rock and a hard place\r\nIn a post on a forum, Maze says that \"another company [MDLab] refused to work with us and thought that they can get\r\naway with this.\" As a result of halting the negotiations, the actor is releasing a cache of files exfiltrated from MDLab's\r\ncomputers to rekindle the discussion.\r\nOn their website, Maze says that files on 231 MDLab stations were encrypted on December 2, 2019 (date seems to be in\r\nEuropean format).\r\nThe infected computers stored tens of terabytes of data but the actor told BleepingComputer that they exfiltrated archives\r\ntotaling 100GB, which they plan to make public if the ransom is not paid. Some of the files relate to immunology research\r\ndone by the company.\r\n\"Ransom amount: 100 BTC + 100 BTC. One part is for decryption, the second is for data destruction,\" the actor told us,\r\nadding that MDLab tried to get the purchase the cryptocurrency but could not do it\" - Maze Ransomware\r\nMaze further said that they directed MDLab to ransomware recovery company Coveware to negotiate the payment and seal\r\nthe deal.\r\nHowever, Coveware has a strict policy of not responding to referrals from ransomware actors, \"even if the company is\r\ngenuine and needs our help.\"\r\nThis may seem like a harsh, illogical reaction, but it is motivated by a simple principle:\r\n\"We don't want there to be any ambiguity on what side we are on, and any policy short of that would blur that line so we are\r\nstrict about it. Any financial benefit from a criminal's referral is wrong in our book,\" Coveware.\r\nThis does not mean that the company leaves victims on their own as Coveware will point them in the right direction when\r\nthis is possible.\r\nThe company denied being involved in negotiations with Maze on MDLab's part:\r\n\"That being our policy, the name you mentioned [MDLab] is also not familiar. We have not had any interaction with Maze\r\nabout them, and don't have interactions with these groups outside of when we are negotiating on a client's behalf (which we\r\nwould keep confidential).\"\r\nCoveware may have been contacted by Genesis Biotechnology Group, MDLab's parent company, which would explain why\r\nthe name did not ring a bell to them.\r\nMDLab has not reacted in any way about this incident. BleepingComputer reached out to the parent company for comment\r\nabout the breach but received no answer at publishing time.\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-not-getting-paid-leaks-data-left-and-right/\r\nPage 3 of 5\n\nNew data leaked from Southwire\r\nMaze keeps the Southwire data leaks going and releases two new archives allegedly stolen from the computers of the wire\r\nand cable manufacturer.\r\nNews of the attack emerged in mid-December and the ransom demand was 850 bitcoins, about $6 million at the time, as\r\nconfirmed to us by the threat actor. In total, 120GB of data was stolen before encrypting 878 devices on the network.\r\nSome time after the attack, seeing that they don't get paid, Maze operators published some company data to a site they\r\ncontrolled. Things escalated when Southwire filed a law suite against Maze that ended with the site being taken down\r\ntemporarily. The effect was that Southwire data was no longer available to the public.\r\nThis did not stop Maze from spreading 14.1GB of the company files on a Russian hacking forum, though. They also\r\npromised to release 10% of the data every week until they get paid, or run out of files, something that could cause significant\r\ntrouble to Southwire.\r\nIn a post on a Russian forum today, Maze announced that a fresh batch of Southwire data - two archives totaling about\r\n10GB.\r\nData theft changes the ransomware game\r\nLate last year, Maze started this trend of threatening victims with publishing their files unless they paid after one of their\r\nvictims, security staffing firm Allied Universal, missed the payment deadline.\r\nThey have been keeping their word and inspired other ransomware actors to do the same. Sodinokibi, Nemty, and\r\nBitPyLock adopted the same tactic (1, 2, 3).\r\nPaying cybercriminals is not recommended as this encourages them to continue their business. Recovering from\r\na ransomware attack is possible when backups are available. These incidents were not regarded as data breaches before the\r\nblackmail trend emerged.\r\nThis is a complication for victim companies as data stolen in a cyber attack requires a different reaction and can have drastic\r\nconsequences (fines from data privacy watchdogs, secrets revealed to competitors, reputation damage), all leading to\r\nfinancial loss.\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-not-getting-paid-leaks-data-left-and-right/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/maze-ransomware-not-getting-paid-leaks-data-left-and-right/\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-not-getting-paid-leaks-data-left-and-right/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/maze-ransomware-not-getting-paid-leaks-data-left-and-right/"
	],
	"report_names": [
		"maze-ransomware-not-getting-paid-leaks-data-left-and-right"
	],
	"threat_actors": [],
	"ts_created_at": 1775434461,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/764d85b2af71ed9e088e75628c64143cb192b408.pdf",
		"text": "https://archive.orkl.eu/764d85b2af71ed9e088e75628c64143cb192b408.txt",
		"img": "https://archive.orkl.eu/764d85b2af71ed9e088e75628c64143cb192b408.jpg"
	}
}