Cognizant Falls Victim to the Maze Ransomware

Cognizant Hit by Maze Ransomware

Destructive ransomware attacks against large organizations are always big news, and unfortunately, they are becoming more and more common. On Saturday, for example, IT giant Cognizant admitted that it had fallen victim to the Maze ransomware.

The word "giant" was not used lightly. Cognizant is a major IT service provider with a shade over 290 thousand employees. It offers a wide range of services to a myriad of companies working in different sectors. The ransomware attack on Cognizant could have major consequences for a large number of people and organizations. Naturally, some questions start popping up.

What happened exactly?

Unfortunately, the details are scarce. Apart from a short statement from April 18 (which was later published as an SEC filing), there is no official information coming from Cognizant. The press announcement didn't say when the attackers broke in, how they did it, or how far into the network they managed to get. Some people reckon that they might have an idea, though.

A couple of weeks before Cognizant's press release, a data breach monitoring service by the name of Under the Breach https://twitter.com/underthebreach/status/1251605359409664005 spotted an interesting advert on the dark web. A "known threat actor" had managed to compromise the systems of an "IT support and service company" and was selling access to them. The hacker said that the victim had some major clients and that cybercriminals willing to take him up on his offer can get their hands on tons of extremely sensitive data.

Was the hacker selling access to Cognizant's systems? And did the Maze ransomware gang buy it off him?

It's all in the realm of speculation, but it must be said that the timing certainly adds up. According to Under the Breach, on April 17, just 24 hours before the attack was publicly disclosed, the advert was pulled offline. If the Maze ransomware operators really did buy access to Cognizant's systems from the dark web, they paid in excess of $200 thousand for it. This is where the next question comes in.

How much do the Maze ransomware operators stand to gain?

Since we don't know how much of Cognizant's infrastructure is impacted, it's impossible to say how difficult it will be to recover from the current situation. Chances are, it's not going to be easy.

Still, given the fact that Cognizant is a major Fortune 500 IT company, many of you probably reckon that it has a solid backup strategy. If this is indeed the case, in a typical attack, the ransomware operators will be left empty-handed, which can be a small consolation. Unfortunately, this is not a typical attack.

The Maze ransomware first appeared last year, and it immediately gained infamy for its sophistication. Security experts who have examined it are impressed with the well-written code and the variety of detection evasion techniques that its authors have implemented. In light of all this, it shouldn't be too much of a shock that it's been used almost exclusively against large, rich organizations like Cognizant. What sets it apart from the other names in the ransomware business, however, is the twist in the Maze gang's modus operandi with which they all but guarantee themselves a significant profit from almost every attack.

Maze is one of the ransomware families that scrapes sensitive information and sends it to the crooks before encrypting it. Because of this, the hackers can first request a ransom to decrypt the files, and if the victim doesn't comply, they can threaten to leak the data publicly.

Maze hits large organizations that do business with thousand of other companies and people, and leaks can have serious consequences. Furthermore, because the stolen data is so sensitive, there's no shortage of people on the dark web who would be more than happy to pay for it, which means that the lack of a ransom payment might not be such a big problem after all.

So far, we have not heard of data stolen from Cognizant being traded on the underground forums, but we shouldn't forget that the attack took place recently, so it's too early to say how the situation might unfold in the future. One thing that is certain is that Cognizant must be very careful with the handling of the situation. On the one hand, it must protect the security of its customers' data. On the other, it should do everything it can to ensure that the Maze crooks don't end up having it their way. Unfortunately, with the setup the criminals have created, this might be more difficult than it sounds.

April 21, 2020

Leave a Reply