UPDATE: Canon Ransomware Attack Results in Leaked Data, Report

canon ransomware attack

The consumer-electronics giant had suffered partial outages across its U.S. website and internal systems reportedly, thanks to the Maze gang.


The Maze ransomware gang has reportedly leaked Canon U.S.A. data online.

Researchers said in April that the Maze gang had created a dedicated web page, which lists the identities of its non-cooperative victims who don’t pay ransoms and regularly publishes samples of the stolen data. This so far includes details of dozens of companies, including law firms, medical service providers and insurance companies, that have not given in to their demands. And now, according to a report in Bleeping Computer, that list includes Canon.

The leaked data consists of a single file, according to the report: About 2.2 GB-worth of marketing data and videos, compiled into an archive called “STRATEGICPLANNINGpart62.zip.” The Maze gang claims it represents 5 percent of all of the data stolen from the camera giant. It appears to be a warning shot: No financial information, employee data or other sensitive data is included, according to the report.

A day after Canon was suspected of becoming the latest high-profile victim of a ransomware attack on August 5, an internal employee communique admitting just that was leaked to media.

According to reports at the time, the camera-maker had circulated a note to employees confirming that ransomware is to blame for outages across its main U.S. website, email, collaboration platforms and various internal systems.

“Canon U.S.A, Inc. and its subsidiaries understand the importance of maintaining the operational integrity and security of our systems,” reads the note, a screenshot of which has been posted by the outlet. “Access to some Canon systems is currently unavailable as a result of a ransomware incident we recently discovered. This is unrelated to the recent issue which affected image.canon.”

When asked for confirmation, Canon, for its part, simply told Threatpost: “We are currently investigating the situation. Thank you.”

The Maze ransomware gang has taken credit for the outage, claiming to have lifted “10 terabytes of data, private databases etc.” in the process. This fits in with the known modus operandi of the group, which usually threatens to leak or sell sensitive data if the target doesn’t pay the ransom.

“Maze is a particularly malicious strain of ransomware, the criminal actors claim to steal their target’s data each time, and threaten to release it publicly if they refuse to pay the ransom,” Tiago Henriques, Coalition’s GM of customer security, told Threatpost. “Its ransom demands are also particularly costly – the average Maze demand we’ve seen is approximately five-and-a-half times larger than the overall average.”

The Canon USA website was still not up at the time of this writing, with a previous “the site is undergoing temporary maintenance” splash page now replaced with a picture of a hot-air balloon and the text, “Our heads aren’t in the clouds. We’re just busy updating our site. Please check back soon! In the Meantime [sic], please visit us at: Canon Online Store or Canon Forum.”

As the page indicates, other Canon assets, including its global website, appear to be unaffected, potentially meaning that the consumer-electronics giant’s security included working failsafe measures to limit the damage.

If so, Canon can count itself a rarity, according to researchers: “In our ethical hacking engagements we are typically able to gain complete control of networks in one to three days and the presence of security products rarely…prevent us from exploiting computer systems,” Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said via email. “The Maze group has proven themselves as good as professional security testing organizations and the significant bounty the collect from extorting their victims means they are well funded to develop their own exploits and bypass methods. Given this, it’s not surprising that they have been able to compromise many large high-profile targets. The reality is that it is very difficult to protect yourself from a skilled adversary.”

The large-electronics-vendor-hit-by-ransomware situation is eerily similar to the recent attack on Garmin, which was the work of the WastedLocker ransomware and Evil Corp. In that case, the GPS specialist reportedly paid a multimillion-dollar ransom to retrieve its files.

“Ransomware has been taking businesses hostage (literally), and the tools, tactics and procedures criminal actors are using have become even more advanced in recent months,” Henriques said. “In the first half of 2020 alone, we observed a 279-percent increase in the frequency of ransomware attacks amongst our policyholders.”

This story was originally published on August 6, but was updated August 14 at 12:15 p.m. ET, with information about Canon U.S.A.’s data reportedly being leaked online.

It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.


Suggested articles