Japanese camera giant Canon recently suffered a Maze ransomware attack that resulted in hackers stealing 10TB of company data and disrupted multiple applications, Microsoft Teams, email, and other systems.
Canon USA recently announced that it temporarily suspended both the mobile application and web browser service of image.canon after discovering that a portion of users’ still image and video image data stored in the cloud photo platform was lost.
The loss of users’ still image and video image data stored in a 10GB long term storage database was discovered on 30th July. Even though the image.canon service was resumed on 4th August, Canon said that users will not be able to download or transfer still image thumbnails in the 10GB long-term storage.
“After the investigation, we identified that some of the photo and video image files saved in the 10GB long-term storage prior to June 16, 2020 9:00am (JST) were lost. We confirmed that the still image thumbnails of the affected files were not affected, and there was no leak of image data. After having resolved the issue that resulted in the loss of the photo and video image files, we resumed the image.canon service as of August 4, 2020,” the company said.
According to Bleeping Computer, while dealing with the outage, Canon also suffered a major ransomware attack carried out by hackers behind the Maze ransomware who successfully exfiltrated up to 10 terabytes of data stored in Canon’s private databases.
However, when contacted by the news site, the Maze hackers said they did not cause the outage affecting image.canon, indicating that the five-day outage was not caused by the ransomware attack. As of now, there is no information on when the ransomware attack took place, the nature of data accessed by hackers, or the ransom amount demanded by the hackers.
However, a message sent by Canon’s IT service centre to the company’s employees revealed that the company was experiencing “widespread system issues” affecting multiple applications, Teams, Email, and other internal systems. The cause of the system issues, however, was not revealed in the note.
Commenting on Maze ransomware operators claiming they successfully stole corporate data from Canon, Matt Walmsley, EMEA Director at Vectra, said Maze Group ransomware operators use “name and shame” tactics whereby victim’s data is exfiltrated prior to encryption and used to leverage ransomware payments. The bullying tactics used by such ransomware groups are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate. These attackers will attempt to exploit, coerce, and capitalise on organisations’ valuable digital assets.
“Ransomware attackers tend to seek privileged entities associated to accounts, hosts and services due to the unrestricted access they can provide and to ease replication and propagation. Attackers will manoeuvre themselves through a network and make that step from a regular user account, to a privileged account which can allow them to deploy their tools and access all the data they need in order to finalise their ransomware attack and coerce their victims.
“Therefore, security teams need to be agile as time is their most precious resource in dealing with ransomware attacks. Early detection and response is key to gaining back control and stopping the attackers in their tracks before they can propagate across the organisation, stealing and denying access to data,” he added.
According to Sanjay Jagad, Sr. Director of Products and Solutions at Cloudian, traditional approaches to combating ransomware, such as anti-phishing training, firewalls and password software, often fall short and encryption doesn’t work against ransomware because the attacker can simply re-encrypt the data to prevent access to its rightful owner. The only way for organisations to really safeguard themselves is to protect data at the storage layer.
“They can do so by leveraging WORM (Write Once Read Many) storage. WORM is the easiest and most effective method to mitigating ransomware attacks. With WORM, data is made immutable: once written, it cannot be changed or deleted for a specific period. This prevents malware from being able to encrypt the data and lock the victim out.
“In the event of a ransomware attack, organisations can restore an uninfected copy of the data by a simple recovery process. In the past you needed specialized storage devices to leverage WORM. However, select object storage systems now offer a new feature called Object Lock to provide WORM functionality within your enterprise storage system. With Object Lock, data is protected at the device level, rather than being dependent on an external layer for defense,” he added.