Xerox Files Allegedly Stolen By Maze Ransomware Group: Reports

Maze ransomware operators claim to have stolen more than 100 GB of files from Xerox and will make them public if the printing giant doesn’t engage in negotiations for a ransom payment, BleepingComputer reports.

Maze ransomware operators claim they’ve breached Xerox’s systems and are threatening to leak massive amounts of data unless they get paid, according to media reports.

The threat group posted several screenshots to its website that show computers on at least one Xerox domain have been encrypted, according to BleepingComputer. Maze ransomware operators claim to have stolen more than 100 GB of files from Xerox and will make them public if the Norwalk, Conn.-based printing giant doesn’t engage in negotiations for a ransom payment, BleepingComputer reported.

Xerox declined to comment. The company’s stock is down $0.42 (2.7 percent) to $15.15 per share since the BleepingComputer story was published midday Tuesday.

[Related: The 11 Biggest Ransomware Attacks Of 2020 (So Far)]

Maze operators published a series of 10 screenshots, according to BleepingComputer, showing directory listings from June 24 and June 25, network shares, and the ransom note that was dropped after the encryption was completed. One screenshot shows that hosts on “ex.xerox.net,” which is managed by Xerox, was hacked, BleepingComputer reported.

“After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore your files,” a ransom note sent to Xerox by the Maze operators read, according to BleepingComputer.

The hackers appear to have stolen financial documents and databases possibly storing user information, according to SecurityWeek. The dates shown in the screenshots suggest that the ransomware started encrypting files on Xerox computers on June 24, SecurityWeek reported.

The Maze ransomware operators threatened to publish information from the breach if Xerox didn’t contact them within three days, BleepingComputer reported. While the domain reveals that Maze ransomware breached a Xerox branch in Europe, BleepingComputer said the names of the hosts hint that it’s the one in London.

The post on Maze’s leak site for Xerox lacks any details about the attack except for proof of the breach and of encrypting the company’s systems, according to BleepingComputer. Maze ransomware operators thus far haven’t made false claims about which companies they’ve breached, although the impact of their attack may sometimes be exaggerated, according to SecurityWeek.

Maze ransomware has ravaged the IT industry this year, with Cognizant publicly saying on April 18 that its network was infected. The ransomware ended up encrypting servers and slowed the ability of the Teaneck, N.J.-based company, No. 6 on the 2020 CRN Solution Provider 500, to enable more work from home by taking out tools that Cognizant used to automate and provision laptops.

CRN first reported that some Cognizant employees lost email access as a result of the Maze ransomware, forcing them to communicate with co-workers and customers through other means. The revenue and corresponding margin impact of the Maze ransomware attack are expected to be in the range of $50 million to $70 million in the second quarter of 2020, Cognizant said May 7.

Then in early June, Maze hackers appeared to have published two ZIP files that contain documents related to the work of Basking Ridge, N.J.-based Conduent, No. 20 on the 2020 CRN Solution Provider 500, in Germany. Conduent said the attack happened on May 29 and lasted about nine hours before its systems were back online. Conduent was spun out from Xerox as an independent company in 2017.

Despite only being around for a year, Maze has wreaked havoc on businesses and municipalities throughout the world and has been the subject of lawsuits, email impersonation attempts and trolling efforts.