Pitney Bowes managed to stop file encryption, but some data was stolen by Maze actors
Pitney Bowes, a firm that specializes in package delivery and other post services, was hit by Maze ransomware. Since the company’s IT team managed to react to the attack on time, the file encryption process was prevented, although some sensitive company information was still stolen by the attackers.
Pitney Bowes is one of the largest mailing technology companies in the world, which specializes in postage meters, as well as e-commerce and other services. Established in 1920, it employed over 11,000 people, has around 1 million customers around the world, and partners with such industry giants as United States Postal Service.
However, this is not the first ransomware encounter by Pitney Bowes, as it suffered a Ryuk ransomware attack in October 2019, when the firm caused a downtime of the package tracking service. The malware attack impacted customer and employee information.[1] Maze attack is the second encounter with a major ransomware strain in less than seven months period.
Email addresses and other data of major company executives and employees stolen
While the company has not published any news about Maze ransomware attack on its official website, threat actors behind the strain released a blog post on May 11 about its new target. According to ZDNet,[2], the attackers provided a set of 11 screenshots that contain various data from the company. All the data was posted into the “New Clients” section, meaning that the data is ready to be published.
As evident, the leaked details contained in these folders are highly sensitive and include personal emails of such company figures like Cliff Rucker (Senior Vice President), Bill Borrelle (Senior Vice President), and others. The displayed screenshots were showing various folders from Pitney Bowes, some of which were named as follows:
- Ecommerce
- Employee Files
- Interns
- Forecasts
- Final Reporting
- eBay and PayPal, etc.
The data inside these folders also contains company certificates, lists of contact details of employees, company reports, customer operations, meeting information, and much more. According to screenshots, the last modification to folders was performed on April 30, which means that the attackers still had access to the servers at that time.
Despite this publication, Pitney Bowes spokesperson said that the stolen data is “limited”:[3]
Recently, we detected a security incident related to Maze ransomware. We are investigating the scope of the attack, specifically the type of data that had been accessed, which appears to be limited.
Working with our third-party security consultants, we immediately took critical steps to thwart the attack before data could be encrypted. At this point, there is no evidence of further unauthorized access to our IT systems. The investigation remains ongoing
Maze ransomware gang is actively infecting high-profile targets
Maze ransomware gang is one of the major players in the illegal malware business that is attacking high-profile organizations and even hospitals during the COVID-19 pandemic.[4] The malware was first deployed in May 2019 and was mainly using phishing emails and Fallout exploit kit to reach the victims. Previous targets of threat actors include Cognizant,[5] the city of Pensacola, Andrew Agencies, Southwire, and many more.
Maze ransomware developers were the first ones that came up with the idea of stealing data prior to encrypting it (this is the reason why malware was stopped before it managed to encrypt files – threat actors spent some time on the network to copy the data). In case the company does not agree to pay the ransom, the attackers publish the sensitive information on a specially crafted website, which can greatly compromise its operations and disclose strategies and secrets.
In this regard, Maze ransomware is different from Ryuk, which attacked the company seven months ago, as it does not leak data online. In a sense, this makes Maze much more dangerous, along with the other eight ransomware strains that have their own data leak sites established.