{ "id": "427c7814-d58c-454c-aecd-ee6c8cc4fed1", "created_at": "2026-04-06T00:13:02.973002Z", "updated_at": "2026-04-10T13:11:51.20522Z", "deleted_at": null, "sha1_hash": "c0b5c84d0be9716d9930b83cab1d8b7c2bb8f3fe", "title": "Allied Universal Breached by Maze Ransomware, Stolen Data Leaked", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1697715, "plain_text": "Allied Universal Breached by Maze Ransomware, Stolen Data Leaked\r\nBy Lawrence Abrams\r\nPublished: 2019-11-22 · Archived: 2026-04-05 16:34:16 UTC\r\nAfter a deadline was missed for receiving a ransom payment, the group behind Maze Ransomware has published almost 700\r\nMB worth of data and files stolen from security staffing firm Allied Universal. We are told this is only 10% of the total files\r\nstolen and the rest will be released if a payment is not made.\r\nThis is an unfortunate story and one that BleepingComputer does not enjoy telling, but with Maze's actions it is important to\r\nbe told.\r\nWith this escalated attack, victims now need to not only be concerned about recovering their encrypted files, but what would\r\nhappen if their stolen unencrypted files were leaked to the public.\r\nhttps://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nMaze Ransomware contacts BleepingComputer\r\nMaze is a ransomware infection that been operating for some time, but has become increasingly more active since May\r\n2019. The affiliates of Maze are also becoming more known, with ProofPoint identifying one as TA2101 after seeing them\r\nconduct numerous malspam campaigns that impersonate government agencies.\r\nLast Friday at 6:35 PM EST as I was finishing for the day, I received an email from a known email address utilized by the\r\nMaze Ransomware.\r\nThis email was signed from the 'Maze Crew' and was about how they breached a large security staffing company named\r\nAllied Universal, who employs approximately 200,000 people and has revenues of over $7 billion USD.\r\n\"I am writing to you because we have breached Allied Universal security firm (aus.com), downloaded data and executed\r\nMaze ransomware in their network.\r\nThey were asked to pay ransom in order to get decryptor and be safe from data leakage, we have also told them that we\r\nwould write to you about this situation if they dont pay us, because it is a shame for the security firm to get breached and\r\nransomwared.\r\nWe gave them time to think until this day, but it seems they abandoned payment process.\r\nI uploaded some files from their network as the data breach proofs. If they dont begin sending requested money until next\r\nFriday we will begin releasing on public everything that we have downloaded from their network before running Maze.\"\r\nIncluded in this email was a small sample of files that were allegedly stolen from Allied Universal. After being reviewed by\r\nBleepingComputer, these appeared to be legitimate files stolen from the company.\r\nSample of stolen Allied Universal files\r\nIn further conversations, the Maze actors told us that they encrypted 'a lot' of computers and are demanding 300 bitcoins, or\r\napproximately $2.3 million USD, to decrypt the entire network.\r\nThey went on to tell us that before they encrypt any computer, they always exfiltrate, or steal, a victim's files so it can be\r\nused as further leverage to have the victim pay the ransom.\r\nWhen I asked what assurances the victims have that Maze will actually delete the files, we were told they were not\r\ninterested in their data, just their money.\r\n\"It is just a logic. If we disclose it who will believe us? It is not in our interest, it will be silly to disclose as we gain nothing\r\nfrom it. We also delete data because it is not really interesting. We are neither espionage group nor any other type of APT,\r\nthe data is not interesting for us.\"\r\nWhen we contacted Allied Universal to not only get a statement, but to also warn them about the Maze crew's threats, we\r\nwere told the situation was under investigation.\r\n\"Allied Universal is aware of a situation that may involve unauthorized access to our systems. We take any situation of this\r\nnature very seriously. This incident is being thoroughly investigated by Allied Universal IT experts who have taken\r\nimmediate and appropriate actions to reinforce existing security measures and to mitigate any potential impact. We also have\r\nhttps://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/\r\nPage 3 of 6\n\nengaged outside cybersecurity experts to re-verify our system’s security. Keeping our company data safe and that of our\r\ncustomers and employees is of paramount importance,\" Allied Universal told BleepingComputer in a statement.\r\nFurther attempts to contact Allied were met with them stating that they \"will not be providing any additional comment at this\r\ntime.\"\r\nOver the next couple of days, Maze told us that they continue to have access to the company's servers and shared a list of\r\nfile names associated with TLS and email signing certificates.\r\nThey further warned that if Allied Universal did not pay, the Maze actors would conduct a spam campaign using Allied's\r\ndomain name and email certificates.\r\n\"Ask them a question: would they like if next Monday TA2101 impersonate Allied Universal in a spam campaign using the\r\nnext certs? Saving pfx's plaintext password in pw.txt is so secure for a security company. LMAO. I think you should write\r\namazing article about this. Name it: \"HOWTO: The easiest way for a security company to be f**ked up\"\r\nAfter a lack of negotiation occurring between Maze and Allied Universal, the Maze actors more pointedly indicated\r\nthat BleepingComputer should publish a story about what was happening.\r\nBleepingComputer did not feel comfortable being used as leverage in their negotiations. Instead we decided to wait until\r\neither Allied Universal paid the ransom, the company issued a public statement, or stolen files were leaked\r\nMaze releases some of the Allied Universal files\r\nKnowing that tomorrow was Maze's deadline, we were surprised tonight when they posted in our forums a description of the\r\nbreach and a link to almost 700 MB of leaked files.\r\n\"We have already morning of Friday. Yes, it is friday in asia. Forgot to mention that deadline is a friday by our local time,\r\nand not US.\"\r\nThis link was for a 7-zip archive containing files related to termination agreements, contracts, medical records, server\r\ndirectory listings, encryption certificates, and exported lists of users from their active directory servers.\r\nMore leaked files\r\nAs I was not going to allow BleepingComputer to be used to distribute stolen data, I deleted the post from our forums.\r\nIn a later email to us they shared a link to a post on a Russian hacker and malware forum that once again describes the\r\nbreach and also contains a link to the leaked data. They also stated that they will distribute the other 90% of the leaked data\r\nto WikiLeaks if an increased ransom of $3.8 million dollars is not paid.\r\nhttps://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/\r\nPage 4 of 6\n\nPost on Russian hacker and malware forum\r\nThis increased amount is highly unlikely, as Maze told us that in their negotiations with Allied Universal, the company said\r\nthey would pay no more than $50,000 USD.\r\nNow that the data and breach had been publicly disclosed by the Maze actors, we contacted law enforcement, once again\r\nattempted to contact Allied without a response, and decided to write this article.\r\nWhat does this mean going forward?\r\nWhile many ransomware developers have threatened to release data if a ransom was not paid, this is the first time we know\r\nof that it has actually happened and in such as a visible manner.\r\nWith threat actors escalating their attacks to public disclosure of confidential and sensitive files, victims need to weigh the\r\ncost of ransomware payments versus the potential costs of sensitive employee and business information or confidential trade\r\nsecrets being released to the public.\r\nFurthermore, with ransomware actors actively searching through files on a victim's machines in order to further extort their\r\nvictims, in many cases these attacks should now be considered data breaches.\r\nThis leads to an escalated cost of dealing with breach notifications, hiring data breach lawyers, and the potential law suits\r\nthat may follow.\r\nIt is too soon to tell if this tactic will prove fruitful, but this is definitely something we will need to keep an eye on going\r\nforward.\r\nhttps://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/\r\nhttps://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/" ], "report_names": [ "allied-universal-breached-by-maze-ransomware-stolen-data-leaked" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434382, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c0b5c84d0be9716d9930b83cab1d8b7c2bb8f3fe.pdf", "text": "https://archive.orkl.eu/c0b5c84d0be9716d9930b83cab1d8b7c2bb8f3fe.txt", "img": "https://archive.orkl.eu/c0b5c84d0be9716d9930b83cab1d8b7c2bb8f3fe.jpg" } }