ra2 studio - Fotolia

Canon said to be latest Maze ransomware victim

Canon may have had up to 10TB of its data exfiltrated by the Maze ransomware gang

An ongoing cyber security incident at Canon is believed to be the latest work of the cyber criminal gang behind the Maze ransomware, an increasingly active and dangerous group that is spearheading the trend of double extortion cyber attacks, where data is not only encrypted and held to ransom, but stolen and leaked.

In the case of Canon, the Maze gang may have exfiltrated up to 10TB of Canon’s data, according to BleepingComputer, which has been closely following the reports.

At the time of writing, the incident was affecting around 25 different Canon domains and a number of its internal applications, including email and collaboration services.

A spokesperson for the firm told Computer Weekly: “We are aware that Canon USA are experiencing system issues – an investigation is currently taking place. We can confirm, however, that this is unrelated to the data loss we experienced on image.canon earlier this week.”

This is a reference to an earlier outage and data loss incident at Canon which occurred on 30 July, when the organisation found an issue involving long-term storage on its image.canon domain. It said a portion of users’ still images and video data stored on its cloud platform was lost.

BleepingComputer, meanwhile, claimed to have spoken to the operators of Maze, who said they were behind the attack but declined to provide further details, such as the scale of the ransom they are demanding.

“Maze Group ransomware operators use name-and-shame tactics whereby victim’s data is exfiltrated prior to encryption and used to leverage ransomware payments,” said Vectra Europe, Middle East and Africa (EMEA) director, Matt Walmsley.

“The bullying tactics used by such ransomware groups are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate. These attackers will attempt to exploit, coerce, and capitalise on organisations’ valuable digital assets.”

Alsid director Jérôme Robert said: “If these reports of a ransomware attack prove accurate, there is one silver lining in that the attack comes after last week’s earnings report. When Garmin was the subject of an attack last week, its share price fell by 8% from $102 to $94.

“Aside from all the operational difficulties such attacks entail, these attacks can have serious financial ramifications too, particularly in an economic environment already reeling from Covid-19.

“As well as working to remediate the attack and its impact, Canon will soon be busy communicating with its customers and stakeholders about the impact of the attack. As Travelex found at the start of the year, an absence of communication can leave a void which is filled by conjecture and speculation that only increases the damage.”

The Maze gang has a tendency to first seek out and penetrate regular user accounts and then manoeuvre themselves through the network to seek out more privileged entities associated to accounts, hosts and services. These offer better access that can ease replication and propagation through the victim’s systems, said Walmsley. Once they have a privileged account in hand, they can deploy their tools and access the data they need to finalise the attack.

Walmsley said that the only way to really respond to this was to become as agile as possible. “Time is the most precious resource in dealing with ransomware attacks. Early detection and response is key to gaining back control,” he added.

Druva chief technologist Stephen Manley agreed: “Organisations that embrace the agility and flexibility of cloud data protection are best positioned to respond and ensure their data remains safe and accessible from cyber attackers. It’s the most effective way to detect malware and ransomware intrusions and protect the entire environment.”

Sophos’ senior security advisor John Shier, who has been tracking these so-called double extortion attacks, which Sophos refers to as social attacks, said that if accurate, the attack on Canon was another example of Maze’s “sustained and brazen” targeting of businesses.

“Many of these attacks start by exploiting external services or simple phishing campaigns. Successful campaigns will often be followed by living-off-the-land techniques, abusing over-privileged and under-protected accounts, and hiding in plain sight,” said Shier.

“Enterprises must take the time to ensure they’ve built a strong security foundation, for example, principle of least privilege, MFA [multi-factor authentication] everywhere, patching, user training, and so on, which includes investment in both prevention and detection technologies today if they don’t want to be a victim tomorrow.”

In a recent article produced as part of a major Sophos report on ransomware, Shier wrote that an additional and emerging trend in double extortion attacks was for cyber criminals to pit the victim’s employees against its executives and IT department by threatening to release their personal data if they do not in turn put pressure on their bosses to cave in and negotiate.

Shier said it was too early to really determine if this form of social pressure would be more profitable than traditional ransomware attacks, it has heralded a “new era” in which societal pressure and shaming is just as valuable a tool in a cyber criminal’s arsenal as any form of malware.

Read more about Maze

Read more on Data breach incident management and recovery

Data Center
Data Management