Maze Reportedly Posts Exfiltrated Canon USA DataImaging Firm's Websites Are Still Down After Ransomware Attack
The Maze ransomware group has posted on its darknet website some data it claims it stole during a recent attack against Canon USA, according to the security firm Emsisoft.
Maze claims to have posted 2.5 GB, or about 5%, of the data it says it exfiltrated from the imaging company during an early August ransomware attack, Brett Callow, an Emsisoft threat analyst, tells Information Security Media Group.
A screenshot of the Maze posting shared by Callow shows a ZIP file named StrategicPlanningpart62 as proof Maze had access to Canon's internal data. ISMG is unable to independently verify Maze's claim. No information regarding a ransom demand is mentioned on the gang's website.
Canon disclosed on Aug. 6 that it was struck by ransomware. The company noted that its cyber incident protocols were implemented upon detection, additional end point threat detection and response tools were put in place and additional resources engaged to help recovery.
A spokesperson could not be immediately reached Wednesday to provide any update.
Several of Canon USA's websites remained offline as of Wednesday; the sites have been down since Aug. 5.
The continuing website issues indicate “that Maze was likely able to reach the web servers,” Callow says. “It's impossible to read anything into it beyond that."
Earlier Data Loss Incident
"When Canon switched over to a new version of the software to control these services on July 30, the code to control the short-term storage operated on both of the short-term storage and the long-term storage functions, causing the loss of some images stored for more than 30 days,” the company said. “By August 4, we identified the code causing the incident, and corrected it. We found no unauthorized access to 'image.canon.' The incident caused no leakage of images and those that went missing may be restorable," the company says.
Maze was the first ransomware group to exfiltrate data and threaten to release it if a ransom is not paid. Now, a number of ransomware gangs, including Avaddon, use the same tactic.
After initially gaining a foothold in an infected network, the operators behind the Maze ransomware typically move through the infrastructure to gain access to a regular user account before moving up to a privileged account, says Matt Walmsley, a director at security firm Vectra. This method enables them to deploy their tools and access the data needed to finalize their ransomware attack and extortion plan, he says.
"Maze Group ransomware operators use 'name and shame' tactics whereby victims' data is exfiltrated prior to encryption and used to leverage ransomware payments," Walmsley says. "The bullying tactics used by such ransomware groups are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate."
In May, Maze began releasing payment card data from an earlier attack on Banco de Costa Rica. The gang claimed it had some 4 million unique payment card numbers from the Costa Rican bank (see: Ransomware Gang Posting Financial Details From Bank Attack).
Chipmaker MaxLinear confirmed in June it was hit by the Maze ransomware gang in April and some "proprietary information" was exfiltrated and personally identifiable information exposed (see: Maze Ransomware Gang Strikes Chipmaker MaxLinear).