Just as 2023 was coming to a close, word that Xerox was the latest victim of a ransomware attack started to spread among security professionals. Now, the company has posted notice that the rumors were true. They’re currently investigating.
Source: The Register, SecurityWeek, Xerox Newsroom, Cybereason, Huntress, Security Boulevard
Xerox has confirmed a data breach at its U.S. subsidiary, Xerox Business Solutions (XBS), after the ransomware group INC Ransom claimed responsibility for the attack. The breach, detected and contained by Xerox’s security team, was limited to XBS in the U.S., with no impact on Xerox’s corporate systems or operations. INC Ransom claimed responsibility for the attack on December 30, 2023. The ransomware group listed Xerox on their leak site, posting screenshots of documents allegedly stolen from the company as proof of intrusion.
The nature of the attack remains uncertain, as ransomware deployment or extortion-only tactics could be involved. INC Ransom, a relatively new player in the ransomware space, is known for its indiscriminate targeting of victims. The removal of leaked documents from INC Ransom’s blog suggests possible ongoing negotiations between Xerox and the attackers.
INC Ransom has been active since at least August 2023 and has claimed to have attacked over 30 organizations. Notable among these attacks is the ransomware breach of Yamaha Motor Philippines Inc. in November, 2023. The primary targets of INC Ransom appear to be manufacturers based in the United States, the Netherlands, and Australia, focusing on medium to large enterprises with an IT-OT ecosystem. Additionally, the group has targeted a variety of victims, including private sector businesses, a government organization, and a charity association.
Personal information in the XBS environment may have been compromised, and Xerox is conducting a thorough investigation with third-party experts. Although Xerox has not provided specific details about the affected individuals, they have pledged to notify all impacted parties as required by their standard operating procedures.
Observations:
If Xerox is negotiating, the payout could be substantial. We won’t know the full scope of this incident for some time, so it will be worth watching SEC filings, and the various state portals for breach notification letters.
It’s possible those regulatory factors will provide additional context. As for the INC Ransomware group itself, they are opportunists, clearly. They represent the sort of threat organizations the world over face on a regular basis. It’s unfortunate that Xerox was the one caught in their crosshairs this time, but they’re not the first and they won’t be the last.