Canon services suffered an outage caused by a maze ransomware attack, affecting internal applications, email servers, Microsoft Teams, and the USA website. Bleeping Computer said 24 Canon domains were possibly affected by the attack. For six days since July 30, image.canon was inaccessible and sent frequent status updates until the problem was resolved on August 4. Although Canon initially downplayed the attack, the organization later sent a company-wide memo saying it had experienced a ransomware attack, and technicians were working to resolve the issue.
Data compromised by the attack
The Maze ransomware attack affected users of the 10GB free storage service. The Japanese camera-maker admitted that any data or images saved before June 16 were lost, but there was no leak of image data. Though not accessible, thumbnails of this information could still be viewed online. But clicking on any of the snapshots produced an error on the website.
When Bleeping Computer contacted the cybercriminals, the gang said they stole 10 terabytes of data, private databases, and other private information from the attack on Canon. The criminal gang refused to provide any evidence to back up their claims.
The gang also failed to disclose the number of devices encrypted in the Maze ransomware attack and the amount of ransom they demanded. However, the Maze ransomware operators said they were not responsible for the outage on image.canon, giving credence to the company’s initial statement that no photos were leaked. Canon said the timing of the image server outage and the Maze ransomware attack was coincidental.
“While it’s not been entirely evident, this attack is not one that happened quickly. Cybercriminals would have been inside the infrastructure and systems for some time, not hours, but most likely days, to access this many domains of the organization,” says James McQuiggan, a Security Awareness Advocate at KnowBe4.
Indicators of compromise of the Maze ransomware attack
Canon released a message saying it was investigating the situation but failed to admit that a Maze ransomware attack caused the outage.
However, Bleeping Computer received a partial screenshot of the ransom note in which the Maze ransomware gang provided steps for Canon to regain control of her systems.
Maze ransomware works by exploiting ordinary user accounts on the network before spreading laterally and compromising the administrator account on the domain controller. During the process, the ransomware exfiltrates data to its servers while encrypting files on the affected devices.
A Maze ransomware attack begins by phishing an ordinary user. When compromised, the user device becomes the entry point for the ransomware into the corporate network. Consequently, training all users on information security becomes crucial for ensuring the safety of the corporate network.
“Ransomware continues to be the favorite attack vector of cybercriminals,” McQuiggan says. “They gain access to organizations either through social engineering phishing attacks or through misconfigurations on unpatched systems found available on the internet.”
McQuiggan adds that employees should have enough knowledge and understanding of computer security to make information security decisions.
The ransomware gang also operates on double extortion or name-and-shame method, publishing the data online if the victim refuses to pay the ransom. They warned Canon against failing to pay, threatening to take actions similar to Maze ransomware attacks on Southwire, MDLab, and the City of Pensacola.
The gang has carried out successful attacks against high-profile companies in the United States, such as Conduent, Cognizant, Chubb, LG, Xerox, MaxLinear, and VT San Antonio Aerospace.
Chris Clements, VP of Solutions Architecture, Cerberus Sentinel, says Maze ransomware operators have “proven themselves as good as professional security testing organizations.” The bounty they receive enables them to develop sophisticated tools.