Xerox, Conduent Hit With Brazen Demand From Maze Hackers

In a brazen, open letter to its victims, the Maze ransomware group is claiming that economic hardships related to COVID-19 are forcing them to take a tough line with their “clients” and demanding payment by Sunday, threatening “reputation damage and financial” loss.

“If you have failed to start communication in three days you can blame only yourself for you (sic) reputation damage and financial lost (sic),” the hacker group posted on its news website.

Among the companies being threatened are Florham Park, N.J.-based Conduent and Norwalk-based Xerox, which have each recently fallen prey to the malware, with word that Xerox was hit last week along with screenshots that purported to show information that was stolen.

Conduent said its European systems were attacked in May. The company said it took about nine hours to lock down the attack and restore the systems. However following that event, the hackers published a document that appeared to be an invoice from Conduent’s customer Vodafone in Germany. Conduent and Xerox did not return requests for comment about the hacker demands.

Brett Callow, a threat analyst with Emsisoft, an anti-malware software provider, said the threats probably means that the criminals are finding it harder to extract payment due to the pandemic having left a very large number of companies in financial distress. He said some will not be able to pay the amount they may have been willing to pay previously, and some will not be able to pay at all.

“Maze does likely have data relating to these companies, and will likely publish it if they remain non-complaint,” Callow told CRN. “In fact, we know they do as they’ve already published small snippets of the information. However, whether they have as much data as they claim and whether it’s as sensitive as they claim is a completely different matter. This could simply be an attempt to pressure the companies into settling before they complete their forensic investigations and realize that Maze did not extract as much data as they claim.”

The Maze group is unsparing of its victims in demanding that they talk, claiming they are not “physiologists” – possibly meaning psychologists -- who will try to understand why victims might refuse to start a conversation.

“Negotiation means the dialog (sic) and finding the best solution for both parties,” the group wrote. “If the client is too shy, or scared or just can’t negotiate, this is exclusively the client’s problem.”

The group said it was pushing victims for payment due to economic circumstances that it is now in due to the COVID-19 pandemic.

“The whole world is in pandemic and deep economy (sic) crisis. We are also in the same reality with the whole world,” the group wrote.

The hacker group said it will begin publishing data in three days and will finish publishing all of the data in 10 days.

“No more delays of a month or two,” they wrote. “With the start of publication we will also notify all of the client’s partners, clients and regulators.”

Several large solution providers have been hit this year by Maze or other ransomware, with Cognizant announcing their systems were hit in April by Maze which could come at a remediation cost of $50 million to $70 million, not including lawsuits.

Maze said it wants to deal honestly with the victims whose information they have stolen.

“The Maze team is proud of its reputation,” the group wrote, “so we will (try) to respect scrupulously the agreement with the client. Our business is based on it. Our honesty is our revenue.”