UPDATE
The Maze ransomware gang has reportedly leaked Canon U.S.A. data online.
Researchers said in April that the Maze gang had created a dedicated web page, which lists the identities of its non-cooperative victims who don’t pay ransoms and regularly publishes samples of the stolen data. This so far includes details of dozens of companies, including law firms, medical service providers and insurance companies, that have not given in to their demands. And now, according to [a report](<https://www.bleepingcomputer.com/news/security/canon-usas-stolen-files-leaked-by-maze-ransomware-gang/>) in Bleeping Computer, that list includes Canon.
The leaked data consists of a single file, according to the report: About 2.2 GB-worth of marketing data and videos, compiled into an archive called “STRATEGICPLANNINGpart62.zip.” The Maze gang claims it represents 5 percent of all of the data stolen from the camera giant. It appears to be a warning shot: No financial information, employee data or other sensitive data is included, according to the report.
A day after Canon was suspected of becoming the latest high-profile victim of a ransomware attack on August 5, an internal employee communique admitting just that was leaked to media.
According to reports at the time, the camera-maker [had circulated a note](<https://www.bleepingcomputer.com/news/security/canon-confirms-ransomware-attack-in-internal-memo/>) to employees confirming that ransomware is to blame for outages across its main U.S. website, email, collaboration platforms and various internal systems.
[](<https://threatpost.com/newsletter-sign/>)
“Canon U.S.A, Inc. and its subsidiaries understand the importance of maintaining the operational integrity and security of our systems,” reads the note, a screenshot of which has been posted by the outlet. “Access to some Canon systems is currently unavailable as a result of a ransomware incident we recently discovered. This is unrelated to the recent issue which affected image.canon.”
When asked for confirmation, Canon, for its part, simply told Threatpost: “We are currently investigating the situation. Thank you.”
The Maze ransomware gang has taken credit for the outage, claiming to have lifted “10 terabytes of data, private databases etc.” in the process. This fits in with the known _modus operandi _of the group, which usually threatens to leak or sell sensitive data if the target doesn’t pay the ransom.
“Maze is a particularly malicious strain of ransomware, the criminal actors claim to steal their target’s data each time, and threaten to release it publicly if they refuse to pay the ransom,” Tiago Henriques, Coalition’s GM of customer security, told Threatpost. “Its ransom demands are also particularly costly – the average Maze demand we’ve seen is approximately five-and-a-half times larger than the overall average.”
The Canon USA website was still not up at the time of this writing, with a previous “the site is undergoing temporary maintenance” splash page now replaced with a picture of a hot-air balloon and the text, “Our heads aren’t in the clouds. We’re just busy updating our site. Please check back soon! In the Meantime [sic], please visit us at: Canon Online Store or Canon Forum.”
As the page indicates, other Canon assets, including its global website, appear to be unaffected, potentially meaning that the consumer-electronics giant’s security included working failsafe measures to limit the damage.
If so, Canon can count itself a rarity, according to researchers: “In our ethical hacking engagements we are typically able to gain complete control of networks in one to three days and the presence of security products rarely…prevent us from exploiting computer systems,” Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said via email. “The Maze group has proven themselves as good as professional security testing organizations and the significant bounty the collect from extorting their victims means they are well funded to develop their own exploits and bypass methods. Given this, it’s not surprising that they have been able to compromise many large high-profile targets. The reality is that it is very difficult to protect yourself from a skilled adversary.”
The large-electronics-vendor-hit-by-ransomware situation is eerily similar to the [recent attack on Garmin](<https://threatpost.com/garmin-suffers-ransomware-attack/157698/>), which was the work of the WastedLocker ransomware and Evil Corp. In that case, the GPS specialist [reportedly paid](<https://threatpost.com/garmin-pays-evil-corp-ransomware-attack-reports/157971/>) a multimillion-dollar ransom to retrieve its files.
“Ransomware has been taking businesses hostage (literally), and the tools, tactics and procedures criminal actors are using have become even more advanced in recent months,” Henriques said. “In the first half of 2020 alone, we observed a 279-percent increase in the frequency of ransomware attacks amongst our policyholders.”
_This story was originally published on August 6, but was updated August 14 at 12:15 p.m. ET, with information about Canon U.S.A.’s data reportedly being leaked online._
**_It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary [Threatpost eBook](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>), 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. [Click here to download our eBook now](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)._**
{"id": "THREATPOST:EEF9880D43A9ACF1F1B522C1B6D2EF09", "type": "threatpost", "bulletinFamily": "info", "title": "UPDATE: Canon Ransomware Attack Results in Leaked Data, Report", "description": "UPDATE\n\nThe Maze ransomware gang has reportedly leaked Canon U.S.A. data online.\n\nResearchers said in April that the Maze gang had created a dedicated web page, which lists the identities of its non-cooperative victims who don\u2019t pay ransoms and regularly publishes samples of the stolen data. This so far includes details of dozens of companies, including law firms, medical service providers and insurance companies, that have not given in to their demands. And now, according to [a report](<https://www.bleepingcomputer.com/news/security/canon-usas-stolen-files-leaked-by-maze-ransomware-gang/>) in Bleeping Computer, that list includes Canon.\n\nThe leaked data consists of a single file, according to the report: About 2.2 GB-worth of marketing data and videos, compiled into an archive called \u201cSTRATEGICPLANNINGpart62.zip.\u201d The Maze gang claims it represents 5 percent of all of the data stolen from the camera giant. It appears to be a warning shot: No financial information, employee data or other sensitive data is included, according to the report.\n\nA day after Canon was suspected of becoming the latest high-profile victim of a ransomware attack on August 5, an internal employee communique admitting just that was leaked to media.\n\nAccording to reports at the time, the camera-maker [had circulated a note](<https://www.bleepingcomputer.com/news/security/canon-confirms-ransomware-attack-in-internal-memo/>) to employees confirming that ransomware is to blame for outages across its main U.S. website, email, collaboration platforms and various internal systems.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCanon U.S.A, Inc. and its subsidiaries understand the importance of maintaining the operational integrity and security of our systems,\u201d reads the note, a screenshot of which has been posted by the outlet. \u201cAccess to some Canon systems is currently unavailable as a result of a ransomware incident we recently discovered. This is unrelated to the recent issue which affected image.canon.\u201d\n\nWhen asked for confirmation, Canon, for its part, simply told Threatpost: \u201cWe are currently investigating the situation. Thank you.\u201d\n\nThe Maze ransomware gang has taken credit for the outage, claiming to have lifted \u201c10 terabytes of data, private databases etc.\u201d in the process. This fits in with the known _modus operandi _of the group, which usually threatens to leak or sell sensitive data if the target doesn\u2019t pay the ransom.\n\n\u201cMaze is a particularly malicious strain of ransomware, the criminal actors claim to steal their target\u2019s data each time, and threaten to release it publicly if they refuse to pay the ransom,\u201d Tiago Henriques, Coalition\u2019s GM of customer security, told Threatpost. \u201cIts ransom demands are also particularly costly \u2013 the average Maze demand we\u2019ve seen is approximately five-and-a-half times larger than the overall average.\u201d\n\nThe Canon USA website was still not up at the time of this writing, with a previous \u201cthe site is undergoing temporary maintenance\u201d splash page now replaced with a picture of a hot-air balloon and the text, \u201cOur heads aren\u2019t in the clouds. We\u2019re just busy updating our site. Please check back soon! In the Meantime [sic], please visit us at: Canon Online Store or Canon Forum.\u201d\n\nAs the page indicates, other Canon assets, including its global website, appear to be unaffected, potentially meaning that the consumer-electronics giant\u2019s security included working failsafe measures to limit the damage.\n\nIf so, Canon can count itself a rarity, according to researchers: \u201cIn our ethical hacking engagements we are typically able to gain complete control of networks in one to three days and the presence of security products rarely\u2026prevent us from exploiting computer systems,\u201d Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said via email. \u201cThe Maze group has proven themselves as good as professional security testing organizations and the significant bounty the collect from extorting their victims means they are well funded to develop their own exploits and bypass methods. Given this, it\u2019s not surprising that they have been able to compromise many large high-profile targets. The reality is that it is very difficult to protect yourself from a skilled adversary.\u201d\n\nThe large-electronics-vendor-hit-by-ransomware situation is eerily similar to the [recent attack on Garmin](<https://threatpost.com/garmin-suffers-ransomware-attack/157698/>), which was the work of the WastedLocker ransomware and Evil Corp. In that case, the GPS specialist [reportedly paid](<https://threatpost.com/garmin-pays-evil-corp-ransomware-attack-reports/157971/>) a multimillion-dollar ransom to retrieve its files.\n\n\u201cRansomware has been taking businesses hostage (literally), and the tools, tactics and procedures criminal actors are using have become even more advanced in recent months,\u201d Henriques said. \u201cIn the first half of 2020 alone, we observed a 279-percent increase in the frequency of ransomware attacks amongst our policyholders.\u201d\n\n_This story was originally published on August 6, but was updated August 14 at 12:15 p.m. ET, with information about Canon U.S.A.\u2019s data reportedly being leaked online._\n\n**_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary [Threatpost eBook](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>), 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. [Click here to download our eBook now](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)._**\n", "published": "2020-08-14T16:00:11", "modified": "2020-08-14T16:00:11", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/canon-ransomware-attack-employee-note/158157/", "reporter": "Tara Seals", "references": ["https://www.bleepingcomputer.com/news/security/canon-usas-stolen-files-leaked-by-maze-ransomware-gang/", "https://www.bleepingcomputer.com/news/security/canon-confirms-ransomware-attack-in-internal-memo/", "https://threatpost.com/newsletter-sign/", "https://threatpost.com/garmin-suffers-ransomware-attack/157698/", "https://threatpost.com/garmin-pays-evil-corp-ransomware-attack-reports/157971/", "https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook", "https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook"], "cvelist": [], "lastseen": "2020-08-14T16:48:45", "viewCount": 126, "enchantments": {"dependencies": {"references": []}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "cisa", "idList": ["CISA:17ECE93409F2BF9846D576277DA8717C", "CISA:452D43AC6599B76DF22B4805470283C8", "CISA:8FAFD5A4573898E60D59E0AE79D28E99"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_810DF820366411E18FE300215C6A37BB.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366"]}]}, "exploitation": null, "vulnersScore": -0.1}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659743467}}