Light Dark
June 18, 2020 By David Bisson 3 min read
News

In early June 2020, the Maze gang teamed up with other crypto-malware actors to extort non-paying victims using its shared data leaks platform. Maze wasn’t the only strain that made news. Those behind the REvil family also attracted the security community’s attention when it began auctioning off data stolen by their creation. Additionally, security researchers discovered two new crypto-malware groups: Kupidon and Avaddon.

Top Story: Maze’s New Extortion Cartel

On June 3, digital security intelligence firm KeLa informed Bleeping Computer that the Maze ransomware gang had added information stolen from an architectural firm to its “Maze News” data leak site. This data dump wasn’t the first time Maze had publicly posted the stolen data of a victim who had refused to meet a ransom demand, but it was the first time Maze’s actors had used their site to publish the information stolen by a different ransomware group. Indeed, the information had come from a successful attack conducted by the LockBit Ransomware-as-a-Service (RaaS) platform.

Bleeping Computer contacted the Maze operators for clarification. In their response, the ransomware actors revealed they had partnered with LockBit to share their experience and data leaks platform. They also disclosed that another ransomware group would be joining their cartel in the coming days and that other gangs had shared their desire to join in the future.

Sure enough, Bleeping Computer learned of a “Maze News” posting pertaining to the Ragnar Locker ransomware strain just days later.

Also in Ransomware News

  • Victim Data Auctioned Off by REvil Ransomware Group: In the beginning of June, KrebsonSecurity learned that the malicious actors responsible for distributing REvil ransomware had posted an update on their “Happy Blog” dark web data leak site. The post announced that the digital attackers would begin auctioning off three databases and more than 22,000 files which they had stolen from an agricultural company. In their update, REvil’s handlers announced that the minimum deposit was $5,000 and that the bidding for the entire collection of stolen data would start at $50,000.
  • New Kupidon and Avaddon Ransomware Strains Discovered: On June 5, Bleeping Computer reported on a security researcher’s discovery of a new ransomware strain back in the beginning of May. The crypto-malware threat, detected as “Kupidon,” targeted both users and corporations at the time of discovery. After performing its encryption routine, the ransomware instructed the victim in its ransom note to visit a Tor site that contained an image of cupid and an email address for receiving payment instructions. News of Kupidon came just days before the computer self-help site learned about an attack campaign in which malspam emails containing a smily or winky face had leveraged a malicious JavaScript downloader to infect victims with samples of the new Avaddon ransomware family.
  • Decryption Tool Released for Tycoon Ransomware: The BlackBerry Research and Intelligence Team uncovered Tycoon, a multi-platform ransomware written in Java. The researchers found that malicious actors were using a trojanized java runtime environment (JRE) along with an obscure java image format to target Windows and Linux machines operated by SMBs in the education and software industries. Over the course of their analysis, the researchers found that Tycoon had reused a common RSA private key and subsequently wondered whether victims could recover their data encrypted by earlier versions of the ransomware for free. Emsisoft confirmed this to be the case when it released its updated RedRum decryption software (The earliest version of Tycoon had a .redrum file extension, per Dark Reading.).
  • QNAP Storage Devices Targeted by eChoraix Ransomware: At the beginning of June, ID-Ransomware documented a surge of reports from eChoraix victims seeking help to recover their data. A closer look revealed that the malicious actors who perpetrated those attacks gained access to QNAP storage devices by abusing vulnerabilities or by brute-forcing weak passwords. Upon gaining access, the ransomware then ran its decryption routine before dropping a ransom demand in which it asked victims to hand over a ransom fee of $500.
  • Thanos RaaS Tool Connected to Hakbit: According to Recorded Future, Insikt Group discovered Thanos Ransomware-as-a-Service (RaaS) for sale on an exploit forum while investigating the weaponization of RIPlace technique. In the process of analyzing the new ransomware, Insikt Group found that Thanos shared similar code with Hakbit, among other commonalities. These connections led Insikt Group to conclude that malicious actors had constructed Hakbit using the Thanos ransomware builder.

How to Defend Against Ransomware

Security professionals can help their organizations defend against a ransomware infection by ensuring they have access to the latest threat intelligence. These information feeds will give them the necessary data they need to stay on top of the latest crypto-malware attacks and techniques. Infosec personnel should also leverage an endpoint management tool to monitor their endpoints for suspicious activity that could be indicative of a ransomware infection.

 |  | 
David Bisson
Contributing Editor

More from News
January 13, 2025

Insights from CISA’s red team findings and the evolution of EDR

3 min read - A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections. These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings? EDR’s double-edged sword A cornerstone of cyber resilience strategy, EDR solutions are prized for…

December 30, 2024

DHS: Guidance for AI in critical infrastructure

4 min read - At the end of 2024, we've reached a moment in artificial intelligence (AI) development where government involvement can help shape the trajectory of this extremely pervasive technology. In the most recent example, the Department of Homeland Security (DHS) has released what it calls a "first-of-its-kind" framework designed to ensure the safe and secure deployment of AI across critical infrastructure sectors. The framework could be the catalyst for what could become a comprehensive set of regulatory measures, as it brings into…

December 26, 2024

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature