A day after Canon was suspected of becoming the latest high-profile victim of a ransomware attack, an internal employee communique admitting just that has been leaked to media.
According to Bleeping Computer, the camera-maker has circulated a note to employees confirming that ransomware is to blame for outages across its main U.S. website, email, collaboration platforms and various internal systems.
“Canon U.S.A, Inc. and its subsidiaries understand the importance of maintaining the operational integrity and security of our systems,” reads the note, a screenshot of which has been posted by the outlet. “Access to some Canon systems is currently unavailable as a result of a ransomware incident we recently discovered. This is unrelated to the recent issue which affected image.canon.”
When asked for confirmation, Canon, for its part, simply told Threatpost: “We are currently investigating the situation. Thank you.”
The Maze ransomware gang has taken credit for the outage, claiming to have lifted “10 terabytes of data, private databases etc.” in the process. This fits in with the known modus operandi of the group, which usually threatens to leak or sell sensitive data if the target doesn’t pay the ransom. In fact, researchers said in April that the Maze gang has created a dedicated web page, which lists the identities of their non-cooperative victims and regularly publishes samples of the stolen data. This so far includes details of dozens of companies, including law firms, medical service providers and insurance companies, that have not given in to their demands.
“Maze is a particularly malicious strain of ransomware, the criminal actors claim to steal their target’s data each time, and threaten to release it publicly if they refuse to pay the ransom,” Tiago Henriques, Coalition’s GM of customer security, told Threatpost. “Its ransom demands are also particularly costly – the average Maze demand we’ve seen is approximately five-and-a-half times larger than the overall average.”
The Canon USA website was still not up at the time of this writing, with a previous “the site is undergoing temporary maintenance” splash page now replaced with a picture of a hot-air balloon and the text, “Our heads aren’t in the clouds. We’re just busy updating our site. Please check back soon! In the Meantime [sic], please visit us at: Canon Online Store or Canon Forum.”
As the page indicates, other Canon assets, including its global website, appear to be unaffected, potentially meaning that the consumer-electronics giant’s security included working failsafe measures to limit the damage.
If so, Canon can count itself a rarity, according to researchers: “In our ethical hacking engagements we are typically able to gain complete control of networks in one to three days and the presence of security products rarely…prevent us from exploiting computer systems,” Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said via email. “The Maze group has proven themselves as good as professional security testing organizations and the significant bounty the collect from extorting their victims means they are well funded to develop their own exploits and bypass methods. Given this, it’s not surprising that they have been able to compromise many large high-profile targets. The reality is that it is very difficult to protect yourself from a skilled adversary.”
The large-electronics-vendor-hit-by-ransomware situation is eerily similar to the recent attack on Garmin, which was the work of the WastedLocker ransomware and Evil Corp. In that case, the GPS specialist reportedly paid a multimillion-dollar ransom to retrieve its files.
“Ransomware has been taking businesses hostage (literally), and the tools, tactics and procedures criminal actors are using have become even more advanced in recent months,” Henriques said. “In the first half of 2020 alone, we observed a 279-percent increase in the frequency of ransomware attacks amongst our policyholders.”
This is a developing story and Threatpost will update the details as more become available and are able to be independently confirmed.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.