Cyber Incident Victim: Xerox Corporation
Date:
Jun 2020
Location:
United Kingdom
Summary
Xerox Corporation suffered a ransomware attack by the Maze group, compromising systems on its European domain and potentially other networks. The attackers encrypted files, stole over 100GB of data, and threatened public release unless a ransom was paid, providing screenshots of directory listings, network shares, and a ransom note as evidence. The breach impacted a major global enterprise with significant revenue and operations across numerous countries, though the company did not publicly confirm the incident. Maze ransomware operators typically exploit exposed remote services or vulnerabilities to gain administrative access, exfiltrate data, and deploy encryption, reflecting their pattern of targeting large organizations to extort payments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 24, 2020, the Maze ransomware group listed Xerox Corporation on its data leak site, indicating a breach of the company's network. Attackers claimed to have exfiltrated over 100GB of sensitive files and completed their encryption routine by June 25, as evidenced by directory listing timestamps in published screenshots. The ransomware operators provided ten screenshots as proof of compromise, including images of encrypted systems on the eu.xerox.net domain, network share directories, and the desktop ransom note displayed on a Xerox-branded workstation. One screenshot specifically showed hosts associated with Xerox's European operations, with naming conventions suggesting the London office was affected. The ransom note demanded payment within three days to prevent public release of stolen data, threatening to publish the information if negotiations failed. Maze representatives confirmed to BleepingComputer that they had prematurely listed Xerox as a victim but maintained they possessed valid network access. Xerox Corporation, a Fortune 500 company with $9 billion annual revenue and operations in 160 countries, did not publicly confirm or deny the incident despite media inquiries.
The attackers employed Maze ransomware's characteristic double-extortion tactic, combining file encryption with data theft threats to pressure victims. Screenshots revealed the ransomware encrypted systems across Xerox's European domain, though potential impacts on other regional networks remained unverified. Maze's historical attack patterns suggested initial access may have involved compromised remote desktop services or exploitation of public-facing system vulnerabilities, followed by lateral movement using domain admin credentials. This incident occurred amid a surge of Maze attacks against major corporations including LG Electronics, Cognizant, and Conduent earlier in 2020. The group's leak site temporarily displayed Xerox's name on June 24 before removal, though all evidence remained archived. No data disclosures occurred publicly during the reported timeframe, leaving the final outcome of negotiations or data release status unconfirmed by either party. Xerox's global operations and financial scale amplified potential business continuity risks from system encryption affecting critical infrastructure.