Multinational corporation Canon reportedly fell victim to a ransomware attack launched by Maze group against its email and storage services and its U.S. website on July 30th. Maze has threatened to leak the pics and data if a crypto ransom is not paid. The image.canon site was out for six days during which it showed updates.
It went back into service on August 4th. Canon put out a statement that day about the attack saying there had been no leak of image data, nor thumbnails of the photos stored in the cloud service. However the severity of the attack was confirmed on August 5 by BleepingComputer which said the ransomware gang claimed it had managed to steal almost 10 TB of photos, files and other data.
The publication reported a notification sent by Canon’s IT department through their company-wide network that confirmed that “widespread system issues” affected multiple applications. Unusually, Maze said its attack had not caused the six day outage.
As part of this outage, Canon USA’s website is now displaying errors or page not found errors when visited. The list of Canon domains that appear to be affected by this outage, include:
Since then, BleepingComputer claims to have obtained a partial screenshot of the alleged Canon ransom note, which we have been able to identify as from the Maze ransomware.
According to BleepingComputer, Maze has told them that through their attack they stole “10 terabytes of data, private databases etc” as part of the attack on Canon. Maze declined to share any further info about the attack including the ransom amount, proof of stolen data, and the amount of devices encrypted. “While we first thought that the image.canon outage was related to the ransomware attack, Maze has told us that it was not caused by them,” said BleepingComputer.
“The ransomware attack on Canon is yet another example of the Maze gang’s sustained and brazen targeting of enterprises. Following other recent high profile attacks, this latest salvo should be a wake-up call to all the enterprises who haven’t taken the time to assess their security posture and bolster their defenses against these pernicious adversaries,” said John Shier, senior security advisor, Sophos. “Many of these attacks start by exploiting external services or simple phishing campaigns. The successful campaigns will often be followed by living-off-the-land techniques, abusing over-privileged and under-protected accounts, and hiding in plain sight.”
According to Shier, enterprises must take the time to ensure they’ve built a strong security foundation (e.g. principle of least privilege, MFA everywhere, patching, user training, and so on), which includes investment in both prevention and detection technologies today if they don’t want to be a victim tomorrow. Maze is an enterprise-targeting human-operated ransomware that compromises and stealthily spreads laterally through a network until it gains access to an administrator account and the system’s Windows domain controller.
During this process, Maze will steal unencrypted files from servers and backups and upload them to the threat actor’s servers. Once they have harvested the network of anything of value and gain access to a Windows domain controller, Maze will deploy the ransomware throughout the network to encrypt all of the devices. If a victim does not pay the ransom, Maze will publicly distribute the victim’s stolen files on a data leak site that they have created.