More cyber-attacks to big enterprises were recently reported. Optical products giant Canon and currency exchange company Travelex have fallen victim recently to Maze and Sodinokibi – known for their double extortion threats of ransomware and data breach.

Travelex was among the first victims of the nefarious double-schemed ransomware attacks this year, forcing the company to rely on manual transactions since the start of 2020. In a statement last January 2nd, Travelex confirmed that a software virus was discovered on New Year’s Eve which has compromised some of its services.

According to Travelex, there was no indication that any personal or customer data has been compromised. In the same statement, the company assured to protect their data and prevent the spread of the virus by taking all their systems offline.

“We have deployed teams of IT specialists and external cybersecurity experts who have been working continuously since New Year’s Eve to isolate the virus and restore affected systems”, the company added. At that time, Travelex was offering services to over 1000 branches worldwide manually.

In a report by BleepingComputer¸ Sodinokibi claimed that the ransomware attack was executed by them, threatening Travelex to release or sell their 5GB-worth of sensitive data if the ransom was not paid. Travelex reportedly paid USD$2.3 million to get their systems back online, to continue operating their foreign-exchange kiosks in airports and tourist sites around the world. Travelex resumed operations on January 17th.

This scheme of Sodinokibi was motivated by the notorious Maze, which has attacked several organisations in the past such as Southwire and Allied Universal using the same technique – encrypting the data of the victim company and demanding for payments to decrypt it, otherwise sensitive data will be released in the public.

Canon was the latest victim of Maze, notifying their employees of the ransomware attacks last August 6th. In an internal notice acquired by BleepingComputer, Canon stated that “Canon U.S.A, Inc. and its subsidiaries understand the importance of maintaining the operational integrity and security of our systems. Access to some Canon systems is currently unavailable as a result of a ransomware incident we recently discovered”.

As a result, over 20 domains of Canon are undergoing outages and are unavailable to access at the time writing. BleepingComputer was also told by Maze that as part of their attack to the company, they had stolen "10 terabytes of data, private databases etc".

For the companies that had fallen victim of these attacks, they will either spend a huge amount of money to buy back the data in order to decrypt it or risk their sensitive data being published, not to mention the money that will be spent on notifying the customers and fees for data breaches among other consequences.

John Shier, Senior Security Advisor at Sophos, stated that the ransomware attack on Canon is yet another example of the Maze gang's sustained and brazen targeting of enterprises. “Following other recent high profile attacks, this latest salvo should be a wake-up call to all the enterprises who haven't taken the time to assess their security posture and bolster their defences against these pernicious adversaries”, he added.

According to Shier, many of these attacks start by exploiting external services or simple phishing campaigns. The successful campaigns will often be followed by living-off-the-land techniques, abusing over-privileged and under-protected accounts and hiding in plain sight.  

“Enterprises must take the time to ensure they've built a strong security foundation (e.g. the principle of least privilege, MFA (multi-factor authentication) everywhere, patching, user training, etc.), which includes investment in both prevention and detection technologies today if they don't want to be a victim tomorrow”, advised Shier, for enterprises to avoid these ransomware attacks.