Cybercrime , Fraud Management & Cybercrime , Ransomware

Pitney Bowes Battles Second Ransomware Attack

Mailing Equipment Manufacturer Suffered Another Attack Last October
Pitney Bowes Battles Second Ransomware Attack
Photo: Straticom Planning via Flickr/CC

After suffering a ransomware attack last October that left several systems inaccessible, mailing equipment manufacturer Pitney Bowes reports that it recently blocked another ransomware attack before any data was encrypted and says there's "no evidence of further unauthorized access to our IT systems."

See Also: Targeted vs. Automated Account Takeover Attacks

In the latest incident, the manufacturer says it was targeted by the operators behind the Maze ransomware variant. The company did say when the incident happened or if it has been contacted by cybercriminals concerning a ransom payment.

"Recently, we detected a security incident related to Maze ransomware. We are investigating the scope of the attack, specifically the type of data that had been accessed, which appears to be limited," a Pitney Bowes spokesperson tells Information Security Media Group on Monday. "Working with our third-party security consultants, we immediately took critical steps to thwart the attack before data could be encrypted. At this point, there is no evidence of further unauthorized access to our IT systems."

The incident is still under investigation by Pitney Bowes and law enforcement, a company spokesperson says.

Previous Attack

Stamford, Connecticut-based Pitney Bowes offers a number of mailing and postage services as well as postal meters and shipping software. The company posted $3.2 billion in annual revenue last year, when it employed 11,000, according to financial documents.

In October, the company announced that a ransomware attack disrupted customers' ability to access its postage supply web store as well as to automatically upload envelope-printing transactions (see: Pitney Bowes Says Ransomware Behind System Outages.)

At the time, Pitney Bowes noted that there was no evidence that customer or employee data had been improperly accessed.

Pitney Bowes did not say what strain of ransomware infected its network in October, although some news reports suggested it was Ryuk.

Maze Methods

The Maze gang posted work and personal email addresses for three Pitney Bowes executives on it darknet site, showing that perhaps it was able to access at least some parts of the company's network, according to a screenshot obtained by security firm Emsisoft and shared with ISMG.

ZDNet reported that Maze also posted screenshots of directory listings taken from Pitney Bowes' corporate network.

Maze followed a similar strategy of posting executives' email addresses when the gang targeted insurance giant Chubb in late March. The posting of these tidbits of data apparently is one way the operators of Maze attempt to put pressure on a targeted company to pay the ransom (see: Insurer Chubb Investigating 'Security Incident').

In late 2019, Maze became one of the first ransomware gangs to begin leaking victims' data after organizations refused to pay a ransom or if the two sides could not agree on a price. Other cybercriminal groups, including DoppelPaymer, Nemty, Snatch and the operators of Sodinokibito, are following similar methods to force targets to pay up.

Did Maze Use a Backdoor?

Brett Callow, a threat analyst with Emsisoft, says that because Pitney Bowes was previously hit with ransomware, the original attackers may have left a backdoor in the network that Maze either found or gained access to with the help of a another cybercriminal gang.

"Ransomware groups frequently leave behind backdoors to maintain post-attack access to the networks they have compromised, and this is one of the reasons we recommend that companies completely rebuild their networks rather than simply decrypting their data," Callow tells ISMG. "The backdoors are typically 'owned' by affiliates, and those affiliates may change allegiance or sell or trade them with other groups."

Maze Activity This Year

On Friday, Palo Alto Networks' Unit 42 published an analysis noting that security incidents involving Maze have increased since January.

The Unit 42 analysis finds that the Maze gang is are increasingly taking advantage of vulnerabilities in remote desktop protocol connections to create a foothold in the network and then move laterally through the infrastructure.

In April, Kaspersky published a report that found the number of brute-force attacks targeting RDP connections had spiked since the Covid-19 pandemic forced employees all over the world to work at home.


About the Author

Scott Ferguson

Scott Ferguson

Managing Editor, News Desk

Ferguson is the managing editor for the news desk at Information Security Media Group. He's been covering the IT industry for more than 13 years. Before joining ISMG, Ferguson was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.