New-Jersey headquartered Cognizant Technology Solutions Corporation is one of the world’s largest providers of IT services. But on April 18, it became a victim of Maze ransomware attack that has caused disruptions to its clients. The incident comes at a time when businesses have been already disrupted by coronavirus pandemic that has forced companies to turn to initiatives like work from home to ensure business continuity.
Cognizant released a statement on Saturday on its official website which stated, “Cognizant can confirm that a security incident involving our internal systems and causing service disruptions for some of our clients, is the result of a Maze ransomware attack.”
Cognizant has around 300,000 employees and over $16.8 billion in revenues. It handles the IT services for many of the top Fortune 500 companies. Cognizant has majority of its employees in India and the Philippines working from homes during the lockdown caused by Covid-19.
Among other services, Cognizant provides a wide range of outsourced IT services for the financial services sector. The financial sector accounted for over $5.8 billion of its total revenues in 2019. The company, that has 3 lakh employees working worldwide, said it was hit by the Maze ransomware group and is engaging law enforcement authorities to take some legal actions against the group.
In January, 2020, the Federal Bureau of Investigation(FBI) had issued an alert warning to all U.S. companies about the Maze’s ill practices of threatening to release company information if the desired ransom is not paid to them.
Even after being attacked, Cognizant has not yet been named on a website that is associated with Maze attackers. The website has named other companies in the past for failing to fulfil the Maze related ransomware demand. Brett Callow, security analyst, said that the group could simply be A/B testing alternative negotiating strategies to see whether permitting companies to control the release of information results in better outcomes or not.
What is the Maze Ransomware?
The infamous Maze ransomware was discovered in 2019 and since then, it has gained notoriety. The anonymous hackers behind Maze have made headlines in recent months for publicly holding its victims hostage. The group is known for threatening to leak company’s valuable information if the target doesn’t pay its desired ransom.
The cyber criminals behind the Maze ransomware use a range of different techniques to gain entry to the companies it is targeting. It includes exploits kits, remote desktop connections with weak passwords or sophisticated fraudulent campaigns. The ransomware itself is sophisticated so that its code avoids detection by security programmes.
According to March 2020 McAfee analysis, Maze malware is a binary file of 32 bits usually packed as an EXE or a DLL file. This indicates that the Maze ransomware can also terminate debugging tools used to analyse its behaviour, including the IDA debugger, x32dbg, OllyDbg and more processes. So it is almost impossible for a ordinary firewall software to detect the threat.
What does Maze Group do?
Typically the goal of any ransomware attack is to infect computers in a private network and encrypt files on these computers and then demand a ransom to recover the files. According to experts Maze is different. The attacker in this case has the ability to format or transfer the data onto his or her server. The data is then held on this server until a ransom is paid to recover it. If the victim does not pay the expected ransom, the attackers then publish the data online in public.
According to Beenu Arora, CEO & co-founder of US-based cyber security company, Cyble, Maze ransomware operators are known to conduct their attack below the surface. They are known for stealing the company’s data first followed by locking their target systems. They fully understand their victim's reputational risks and hence their approach is basically "steal, lock and inform."
According to a report, the attackers even justified their actions in a statement saying:
“We want to show that the system is unreliable. The cybersecurity is weak. The people who should care about the security of the information are unreliable. We want to show that nobody cares about the users. Now it’s our turn. We will change the situation by making irresponsible companies pay for every data leak.”
Arora further added that the notorious ransomware group understands the brand value of the organization it plans to attack. It has turned into a well-funded network in recent months. The reason behind this is successful ransomware attacks due to growth in their group and organizations increasingly paying ransomware extortions as no options are left. Also, some certain cyber insurance companies are negotiating with the ransomware operators to make payments.
The alleged targets of Maze have included the city of Pensacola in Florida, cybersecurity insurance provider Chubb Ltd. and Canadian construction company Bird Construction Inc., according to various media reports. The Maze group has claimed to post files from all three companies on its website. Now, the same might be done in case of Cognizant.
According to Brett Callow, a threat analyst at Emisoft, even though hackers linked to Maze have denied their involvement in the attack on Cognizant, it does not mean that Maze isn’t responsible for the attack. For the moment though, no Cognizant data has been advertised for sale or published online.
What are Steps being taken by Cognizant?
Cognizant has about 200,000 employees based in India. This means it must take the necessary steps to contain the ransomware in order to not cause any furthermore disruptions as its clients are spread across the world.
As a solution to this, Cognizant has said that it is looking into the incident and the company is also communicating with clients on the measures to be taken by them to deal with the disruptions. Cognizant quoted that their internal security teams along with the leading cyber defense firms are actively taking steps to contain this incident.
Cognizant has also engaged with the appropriate law enforcement authorities to take required legal actions. Cognizant is in ongoing communication with our clients. They have provided them with Indicators of Compromise (IOCs) which identify potentially malicious activity on a system and other technical information of a defensive nature.