'Maze' ransomware attack hit Cognizant

Cognizant, one of the largest techs and consulting companies in the Fortune 500, has confirmed it was hit by a ransomware attack resulting in service disruptions for some of its clients. The information technology services provider said it was taking steps to contain the incident, with the help of cyber defense companies, and has also engaged with law enforcement authorities.

Among other services, Cognizant provides a wide range of outsourced IT services for the financial services sector — a sector that accounted for over $5.8 billion of its total revenues in 2019.

The attack comes in the midst of thousands of its employees in India and the Philippines working from homes during the lockdown caused by COVID-19.

“Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients is the result of a Maze ransomware attack,” the statement read. “Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident.”

The company also said that it has informed all its clients about the attack and “provided them with Indicators of Compromise (IOCs) and other technical information” that will help the companies to protect themselves.

They also engaged with the law enforcement authorities, according to the statement posted to its website on Saturday.

  • April 11th a threat actor offers to sell access to a huge IT company for $200,000.
  • April 17th, he closes the thread saying it is not relevant anymore.
  • April 18th, Cognizant suffers a Ransomware by Maze.
  • Is it possible Maze bought that access and Cognizant was the company? https://t.co/IZlB82Bfd7
  • Under the Breach (@underthebreach) April 18, 2020

The New Jersey-headquartered IT giant said it was engaging with law enforcement. The company, which offers a range of services including IT consultation to clients in more than 80 countries, posted $16.8 billion in revenue last year. The decades-old firm also maintains a business agreement with Facebook to help the social giant moderate content on its platform. Cognizant employs about 290,000 people, most of whom live in India.

When reached, Cognizant spokesperson Richard Lacroix declined to comment beyond the statement.

MAZE RANSOMWARE OVERVIEW

Maze is a complex piece of malware that uses some tricks to frustrate analysis right from the beginning. The malware starts preparing some functions that appear to save memory addresses in global variables to use later in dynamic calls though it does not actually use these functions later. Whether it is residual code existing in the entry point of the malware or a trick to mislead researchers is up for debate. The Maze ransomware was discovered in 2019 and has since gained notoriety.

Maze is not like typical data-encrypting ransomware. Maze not only spreads across a network, infecting and encrypting every computer in its path, it also exfiltrates the data to the attackers’ servers where it is held for ransom. If a ransom isn’t paid, the attackers publish the files online. The malware is hard programmed with some tricks to prevent reversing of it and to make static analysis more difficult. However, a website known to be associated with the Maze attackers has not yet advertised or published data associated with Cognizant.

Once the encryption completed each file gets appended with different extension along with the original extension.

The FBI privately warned businesses in December of an increase in Maze-related ransomware incidents. Since the warning, several major companies have been hit by Maze, including cyber insurer Chubb, accounting giant MNP, a law firm and an oil company.

According to Bleeping Computer, which first reported the attack, the Maze hackers denied responsibility for the attack. However, the report added that Maze is likely not discussing it to avoid complications at this early stage.

Insurer Chubb Ltd in March was hit by a computer security incident that may have involved unauthorized access to data held by an outside service provider. A group that deploys the Maze ransomware claimed to have locked up devices on Chubb’s network during March, according to Bleeping Computer.

Protecting Data and Networks

Steps to be followed for protecting your data and networks are:

  • Back up your computer and other important files, and verify your backups regularly. If your computer becomes infected with ransomware, you can restore your system to its previous state using your backups.
  • Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users
  • Store your backups separately, best practice is to store your backups on a separate device that cannot be accessed from a network, such as on an external hard drive.
  • Configure firewalls to block access to known malicious IP addresses.
  • Train your organization & provide cybersecurity awareness to their personnel. Ideally, organizations will have regular, mandatory cybersecurity awareness training sessions to ensure their personnel are informed about current cybersecurity threats and threat actor techniques.

Preventing against the threat of ransomware infections

It is recommended to follow the following steps for prevention from ransomware infection:

  • Update and patch your computer
  • Use caution with links and when entering website addresses
  • Open email attachments with caution
  • Keep your personal information safe separately
  • Encrypting Important Data will help in data loss prevention
  • Verify email senders
  • Use and maintain preventative software programs
  • Using Strong Network security configurations

 

Techniques for responding to ransomware infection

It is recommended to follow the following steps for ransomware infection:

  • Isolate the infected system
  • Turn off other computers and devices in the network
  • Contact your vendor security team for better results and finding its source.
  • Need to pay close attention to the ransom message itself, or perhaps ask the advice of a security/IT specialist before using decryption with free tools
  • Use your backups to get recovery
  • Include downloading a security product known for remediation and running a scan to remove the threat, try running a scan from a bootable CD or USB drive
    • If system slowing down for seemingly no reason, shut it down and disconnect it from the Internet.
    • If, once you boot up again the malware is still active, it will not be able to send or receive instructions from the command and control server.
    • Without a key or way to extract payment, the malware may stay idle.
    • At that point, download and install a security product and run a full scan.