Canon has been hit by a ransomware attack perpetrated by Maze Group, an organisation known for its unorthodox “name and shame” tactics.
Maze is believed to have stolen at least 10TB of data from the camera maker, and has encrypted access to key systems. More than 20 websites operated by Canon have been impacted, and currently show a “down for maintenance” message.
However, somewhat unusually for a ransomware attack, Maze Group is threatening to publish the stolen data if Canon does not pay the currently undisclosed ransom fee – a tactic dubbed “name and shame”.
While uncommon for ransomware generally, this is a standard approach for Maze, which has previously undertaken attacks against organisations including Cognizant, Chubb, Xerox and LG. It also was behind an attack on the government of the city of Pensacola, Florida, and began releasing files after the city refused to pay a $1m ransom.
Canon attack highlights concerning evolution of ransomware
The name and shame method used by Maze is particularly concerning because it challenges general advice from cybersecurity experts to not pay in ransomware incidents.
“What makes the Maze cybercriminal group so threatening is that it takes exploitation a step further, not only encrypting the victim’s data, but also stealing it and threatening to release it to the public,” explained Stephen Manley, chief technologist at Druva.
“This adds another layer of complexity to the conversation around whether to pay or not pay the ransom.”
In general, those targeted by ransomware that do pay risk being re-targeted, as they become seen as easy prey. However, the risk of exposing data in the case of non-payment makes this decision harder to make – while also increasing costs for those who are victims of ransomware.
“The bullying tactics used by such ransomware groups are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate,” said Matt Walmsley, EMEA director at Vectra.
“These attackers will attempt to exploit, coerce, and capitalise on organisations’ valuable digital assets.”
And with growing numbers targeted by Maze, it is thought that more will be hit in the future.
“Canon, LG and Xerox were all recent victims of a Maze ransomware attack, and we’ll continue to see more and more organisations fall prey to such breaches,” said Sanjay Jagad, senior director of products and solutions at Cloudian.
Protecting against Maze-type ransomware attacks
For organisations that fear they are at risk of being targeted by a ransomware attack similar to the one conducted against Canon, having a skilled and well-resourced security team is vital.
“Ransomware attackers tend to seek privileged entities associated to accounts, hosts and services due to the unrestricted access they can provide and to ease replication and propagation. Attackers will manoeuvre themselves through a network and make that step from a regular user account, to a privileged account which can allow them to deploy their tools and access all the data they need in order to finalise their ransomware attack and coerce their victims,” explained Walmsley.
“Therefore, security teams need to be agile as time is their most precious resource in dealing with ransomware attacks. Early detection and response is key to gaining back control and stopping the attackers in their tracks before they can propagate across the organisation, stealing and denying access to data.”
For senior decision makers, it is also important to remember that encryption, while valuable for many forms of cybersecurity, is not a silver bullet for ransomware.
“Encryption doesn’t work against ransomware because the attacker can simply re-encrypt the data to prevent access to its rightful owner,” said Jagad.
“Other traditional approaches to combating ransomware, such as anti-phishing training, firewalls and password software, often fall short. The only way for organisations to really safeguard themselves is to protect data at the storage layer.”
The importance of effective cloud security is also vital to recognize.
“Organisations that embrace the agility and flexibility of cloud data protection are best positioned to respond and ensure their data remains safe and accessible from cyberattackers,” said Manley.
“It’s the most effective way to detect malware/ransomware intrusions and protect the entire environment, including endpoints, SaaS applications, the cloud and data centers, and can automatically restore systems that can neutralise the ransomware. Deploying a robust cloud-based ransomware protection and recovery solution will be the best medicine for staying ahead of malicious threats in the future.”