Maze ransomware operators attacked Xerox Corporation and stole files before encrypting them


Maze ransomware operators attacked Xerox Corporation and stole files before encrypting them

It’s been a year since the Maze ransomware gang began its rise to notoriety. Previously identified as “ChaCha ransomware” (a name taken from stream cipher used by the malware to encrypt files), the Maze “brand” was first affixed to the ransomware in May 2019. Initial samples of Maze were tied to fake websites loaded with exploit kits.

Since then, Maze has been delivered by multiple means: exploit kits, spam emails, and—as the group’s operations have become more targeted—Remote Desktop Protocol attacks and other network exploitation. We also reported last week that the Maze ransomware operators claim they have infected LG Electronics and encrypted their system. We also saw an American hardware company MaxLinear was also affected by the operators. Well, now Xerox Corporation has been a victim of the Maze ransomware operators, hackers have encrypted its files and threaten of releasing them.

Xerox Corporation is an American corporation that sells print and digital document products and services in more than 160 countries, though its largest population of employees is based around Rochester, New York, the area in which the company was founded. The company purchased Affiliated Computer Services for $6.4 billion in early 2010. As a large developed company, it is consistently placed in the list of Fortune 500 companies.

The company has not yet released about being infected by the attack, but some screenshots published by Maze operators show that Xerox corporations one domain has been affected and encrypted. One screenshot shows that hosts on “,” managed by Xerox Corporation, was hacked.

The Cyble Research Team has identified and analyzed the proof. It consists of multiple screenshots showing the compromised server(s) files and data encrypted by the ransomware. One of the snapshots consists of a warning message stating Xerox to contact the operators within 3 days, otherwise, the information about the breach would be posted on the Maze public news website. (which has been crossed and breach information posted above).

The operators have demanded to pay them an undisclosed ransom to prevent the data from the leak. The hackers have also said if the company pays the ransom they will delete all the stolen data from their disks and also decrypt the data.

The maze ransomware operators have been quite active in this period as they have hacked multiple companies and asked for a ransom on the amount of data they have stolen. It is recommended that if you own social and personal IDs linked with the online services then enable the 2-factor authentication if available. For more news on tech and cybersecurity stay tuned at Android Rookies by subscribing to our newsletter from here.


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments