Maze Ransomware Attacks Impacting Construction



Maze ransomware attacks – involve double extortion – both encrypting data and stealing data -- demanding a ransom payment to decrypt the data and to prevent publication of stolen data.

The Maze group does not shy away from attacking construction companies helping on the front lines of the COVID-19 Pandemic or US military contractors.

Since nefarious threat actors are seeking to capitalize on cyber vulnerabilities, a dedicated Stand-Alone Cyber Insurance policy is a valuable solution should they find a way around your cybersecurity defenses.

Phishing Schemes Surge During Remote Work 2020

COVID-19 Pandemic

During the COVID-19 crisis, we have seen new ransomware threats to businesses of all sizes, even to facilities tasked with saving lives.

According to the 2020 Verizon Data Breach Investigations Report, money still makes the cybercrime world go round – even during the Pandemic.

"As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount," said Tami Erwin, CEO of Verizon Business. "In addition to protecting their systems from attack, we urge all businesses to continue employee education as phishing schemes become increasingly sophisticated and malicious."

Phishing Emails Back in Vogue for Ransomware Attacks

Reports indicate that once again, phishing emails are the starting point for ransomware attacks in the US and Europe. In recent years, hackers have successfully pivoted to using remote ports, often demanding six- or seven-figure ransom payments to unlock data.

One reason some attackers could have shifted back towards email is because of the number of people who are now working remotely. Email allows threat actors to rely on human behavior to be successful -- with just one click.

A recent ransomware campaign that researchers have dubbed "Mr. Robot" has been targeting entertainment, manufacturing, and construction companies across the US. Messages claiming to be from the Department of Health or healthcare services use subjects related to COVID-19 test results to lure victims into clicking a link to see a document.

If the victim clicks through, this ransomware is installed, and the attackers demand $100 in exchange for the return of files (far below the ever-increasing ransom demands). Since these initial ransom demands have been minimal, researchers assume this campaign is targeting home users rather than businesses.

Ransomware Scenario

One morning, you log in to your company network to find that cybercriminals have accessed your entire corporate network and locked all your files and databases, bringing operations to a halt. Do you have a solution?

Restoring your systems and data from back-ups and getting back to normal operations could take hours, days, or weeks.

You could pay the ransom demand in hopes that the hackers deliver the promised decryption key to unlock your data, but the cybercriminals may not keep their word to unlock your data. According to the FBI's Internet Core Competency Certification (IC3) 2019 Internet Crime Report over 2,000 organizations in the US alone faced this problem after being hit by ransomware last year, costing millions in losses and remediation.

While you discuss the situation with management, you become the victim of double extortion, a new trend in 2020. Before encrypting your files and databases, the cybercriminals extracted large amounts of records with sensitive commercial information, and now threaten to publish it unless ransom demands are paid – adding pressure on your company to pay the ransom. Do you have a solution?

Maze Ransomware Attacks are Game Changers

As reported, the first published double extortion case involved Allied Universal, a large American security staffing company, in November 2019. When the victims refused to pay a ransom of 300 Bitcoins (approximately US$2.3 million), the attackers, who used the Maze ransomware, threatened to use sensitive information extracted from Allied Universal's systems as well as stolen email and domain name certificates for a spam campaign impersonating Allied Universal.

The hackers published a sample of the stolen files, including contracts, medical records, and encryption certificates. Later, the attackers posted 10% of the stolen information on a Russian hacking forum along with a new ransom demand that was 50% higher.

Since then, the Maze group has made headlines in a number of high-profile cyberattacks, including against IT services giant Cognizant and the city of Pensacola, Florida, and it has published details of dozens of companies who have refused to pay the ransom on a dedicated web page.

Maze ransomware attacks are game changers for cyber risk mitigation.

Even with backups (which can be used to restore lost or stolen data), businesses face the additional threat of publication of confidential or sensitive information. If the threat is carried out, the business is faced with complying with all the legal obligations and liabilities required after a data breach (such as breach notification to all those impacted).

Ransomware Attacks Plague the Engineering and Construction Sectors

COVID-19 Hospital Construction Firms Attacked

Cybercriminals have no shame in attacking businesses working on the front lines of the COVID-19 Pandemic. In two separate cyber incidents, hackers attacked two UK-based construction companies involved in building emergency coronavirus hospitals (aka NHS Nightingale Hospitals) in the UK:  

  • In May 2020, Bam Construct took services offline to mitigate a ransomware attack. Bam reported having stood up well due to precautions they had taken for employees working from home in unprecedented numbers.
  • In May 2020, unknown hackers stole PII (with a high value on the dark web) on 100,000 people from outsourcing giant Interserve, which holds crucial Government contracts for a range of services in prisons, schools, and hospitals. Since attackers are seeking to gather sensitive information related to the coronavirus outbreak, the company has been working with the UK's National Cyber Security Centre (NSCS) and the US Cybersecurity and Infrastructure Security Agency (CISA) since the attack.

Hackers and fraudsters have been persistent in seeking out construction companies in ransomware attacks:

  • In February 2020, the Canadian construction company, Bird Construction, disclosed that it had suffered a Maze ransomware attack in Dec. 2019. Maze claims to have stolen 60 GB of data from the company, which landed contracts valued at more than $400 million with Canada's Department of National Defense between 2006 and 2015. Bird reported no business impact as they worked with leading cybersecurity experts to restore access to affected files. Maze published files containing employees' personal data and information relating to Canadian company Suncor Energy, with which Bird Construction has worked on multiple projects.
  • In February 2020, the French construction giant Bouygues Construction disclosed a Maze ransomware attack had occurred in January, affecting its IT network but not paralyzing its activity. The company shut down information systems to mitigate the loss, progressively bringing them back into service after being tested. Maze has also posted a 1.2-gigabyte file that allegedly contains stolen data from Bouygues Construction.
  • In March 2020, EMCOR Group, the US-based engineering and industrial construction services provider, disclosed that the Ryuk ransomware attack took down some of its IT systems. This cyberattack did not involve data theft, clarified by EMCOR because of the double extortion trend.

The Maze group does not shy away from stealing data from US military contractors:

  • Recent reports indicate that a large US military contractor involved in the maintenance of the United States' Minuteman III nuclear arsenal has been hit by Maze ransomware, encrypting some of the company's files, and affecting computer systems. As reported, the Maze ransomware attack involved double extortion -- uploading files (some of which could contain classified information) to servers owned by the Maze ransomware operators.

Construction companies should take preventative cybersecurity measures, including the use of anti-malware software and firewalls, unique, complex passwords, two-factor authentication, limited authorized access to data and systems, timely patching and software updates, and ensuring backups of critical and sensitive data to reduce the financial damage caused by a ransomware attack.

What if your cybersecurity systems fail? Do you have a solution?

Construction companies do have a solution -- Stand-Alone Cyber Insurance – providing valuable services (such as an incident response plan), and insurance coverage for cyber financial loss (such as business interruption).

Stand-Alone Cyber Insurance Coverage for Ransomware Attacks

Many cyber liability policies provide ransomware (aka cyber extortion) coverage to protect your business against ransomware losses. The key is to obtain robust coverage to address this growing cyber risk trend.

For example:

  1. Ransom payments – when hackers encrypt and lock your network or computer system demanding payment of ransom for the key to decrypt and unlock your system.
  2. Business Interruption – lost profits during business operation downtime (after a brief waiting period).
  3. Extra expenses – payroll expenses, costs incurred to make the ransom payment, and costs for hiring a security expert to help you negotiate during the ransomware attack.
  4. Data restoration -- when you sustain losses due to damage, disruption, theft, or misuse of your data, such as the cost to restore, replace or reconstruct programs, software, or data.

Keep in mind the notice requirements in a ransom scenario. The policyholder is required to obtain prior written consent from their insurance company before making a ransom payment in compliance with policy terms. The same holds true for hiring a consultant to help your company negotiate with the extortionist.

Stop nefarious threat actors from capitalizing on your cyber vulnerabilities. A dedicated Stand-Alone Cyber Insurance policy is a valuable, complementary solution to enhance your cybersecurity practices, procedures, and tools.


  • Construction companies should take preventative cybersecurity measures, including the use of anti-malware software and firewalls, unique, complex passwords, two-factor authentication, limited authorized access to data and systems, timely patching and software updates, and ensuring backups of critical and sensitive data to reduce the financial damage caused by a ransomware attack.
  • Cyber risk awareness programs pay dividends when employees take precautions that thwart phishing or spear-phishing attacks, ransomware attacks, social engineering, business email compromise, invoice manipulation, or unauthorized access leading to a data breach.
  • In addition to proper cyber hygiene and cyber risk awareness, construction companies can and should rely on Stand-Alone Cyber Insurance to benefit from the services provided, (such as an incident response plan), and the coverage for cyber financial loss that cannot be prevented.

Reach out to a specialist cyber broker, such as Cyber Armada Insurance, to request robust Stand-Alone Cyber Insurance solutions appropriate for your needs and cyber risk tolerance. We understand the evolving demands and expectations of cyber insurance clients.

Contact Cyber Armada today to examine how your company faces potential financial losses from ransomware attacks, including ransom payments and cyber-related business interruption. Contact us at 888.727.6232.

Next Article

Please watch for our next article on Internet of Things cyber risks in the construction industry.

This article is made available for informational purposes and is not intended to be a substitute for professional or legal advice. No attorney client relationship is formed or implied between you and the authors(s) or Cyber Armada Insurance.
Cyber Armada Team
Posted by Cyber Armada Team on Aug 5, 2020

Apply for Cyber Insurance Online

Answer a few questions online and Cyber Armada will design a cyber insurance policy tailored to your particular needs.

Apply Online
Apply for Cyber Insurance
Schedule an appointment with Cyber Armada

Can we talk?

We're ready to talk when you are. You can schedule an appointment to speak with a representative from Cyber Armada when it is most convenient for you. Whenever possible we use online meetings to increase productivity and increase the amount of time we can spend with you. We use Zoom Meetings as our preferred video conferencing platform.

Schedule Appointment