Maze gets rampant: exposes card numbers of Costa Rica Bank clients

Maze ransomware managers release 2GB payment card numbers that belong to the Bank of Costa Rica customers

BCR bank has been hit by Maze ransomware. 11 million credit card details stolen and promised to be released in stages

Maze ransomware gathers momentum – criminals managing this deadly dangerous RaaS (ransomware as a business) keeps expanding its list of victims. The Cyble Research team^[1] reported on May 1st, 2020 that the Bank of Costa Rica (BCR) has been attacked by Maze and harvested over 11 million credit cards – 4 million unique entries, 140,000 of which belong to American netizens.

The BCR was quick to reply to the journalists when the news about a supposed data breach went public and released an official statement claiming that the incident has been investigated by the Independent Government Agencies, IB, and internal BCR forces and the Maze attack did not confirm^[2].

After multiple analyzes carried out by internal and external specialists in computer security, no evidence has been found to confirm that our systems have been violated. The permanent monitoring of our clients' transactions confirms that none has been affected.

While it's not yet clear if criminals behind Maze are bluffing or not, they claim that the team of hackers has been recording information on BCR in August 2019 and, because the company did not manage to patch security vulnerabilities^[3], criminals revealed 240 credit card numbers with the four digits hidden.

Although the truthfulness of the attack is in question because the BCR spokesperson refuses to communicate with journalists, both business and individual clients of this bank are strongly recommended to contact the customer service and clarify if your bank account is secured.

The Bank of Costa Rica data breach differs from previous Maze attacks

The Maze crypto-malware is currently listed as one of the most dangerous encryption-based cyber infections spread targeting the business sector in particular. It has been frequently named in cybersecurity news sites regarding the attacks over the Cognizant^[4], BJC Healthcare^[5], insurance group Chubb, among many others.

In all the previous cases, the ransomware was primarily focusing on financial profit, which is why it attacked huge business for greater income. However, the BCR data breach differs in its form and purposes.

As criminals claim, this time they seek to prove bank clients how banks fail to secure people’s credentials. As pointed out in the Maze team’s official press release, May 21, 2020^[6], the breach took place at the end of summer last year. When the ransomware has successfully been injected into the BCR’s servers, it was initially used for examining the security systems and making the company take action to patch security loopholes.

However, as criminals point out, the BCR did nothing except “decided to conceal information about the breach.” As a response, Maze ransomware virus owners released the first phase of clients' information belonging to BCR bank.

We regret rear Banco BCR and regulators don’t care about their clients and their personal date.

If the data is not going to be sold on the black market, as well as ransom is not expected – then what Maze wants?

Fix security breaches to protect people's personally identifiable information (PII), that's what criminals are talking about. In the official statement of MazeTeam, criminals keep stressing on the BCR security lapses and resistance to patch them. However, the group calms down the clients of the bank by assuring that they are not going to profit by selling personal and commercial data on the black market.

Maze did not compromise the data on the BCR service, as well as not encrypted “servers and workstations” as they found it “incorrect during the pandemic.” However, they claim that upon the attack the company has been warned multiple times and negotiations took place.

It’s not clear, though, if Maze ransomware does not demand a ransom payment from the BCR since the latter does not expatiate on the issue and rejects claims that the data breach affected their servers.

If Maze does not bluff, the next part of payments card numbers along with other leaked data this week. The team warns the BCR that the entire list of 11 million credit card numbers and other credentials will be leaked.