New Jersey-based IT giant, Cognizant, emailed their clients, last Friday, saying they had been compromised by Maze ransomware and included a "preliminary list of indicators of compromise identified through our investigation." Email recipients could use that forensic evidence to monitor and secure their systems.
The 24-year-old firm - contracted by Facebook to moderate its content and boasting clients in more than 80 countries - posted a statement on its website that confirmed the attack was by Maze Ransomware. Hackers had likely crawled its network for weeks, if not longer, spreading through the system as they stole data and administrator credentials.
Maze denied its involvement, but if it were Maze it would typically have deployed its ChaCha ransomware and algorithms for encryption, following which it would have left a ransom note telling the victim how to pay for decryption.
Maze acts differently to other ransomware in that it not only encrypts the data on infected Windows machines, but also duplicates the original files as well. These they threaten to sell or publish on their “News” site, if the ransom remains unpaid. As part of their “generosity”, Maze directs victims to its support site to help them pay the ransom. (The site even has an online chat service).
Operated by a band of skilled developers, McAfee notes that Maze ransomware is particularly difficult to thwart with technical means since:
It is a complex piece of malware that uses some tricks to frustrate analysis right from the beginning… and uses a lot of tricks to make analysis very complex by disabling disassemblers and using pseudocode plugins.
Back in December, the FBI warned companies that it discerned an increase in its activities. Since then, Maze has hacked several major companies, including cyber insurer Chubb, accounting giant MNP, a law firm and an oil company.
Although Maze denied that it cracked Cognizant, a set of YARA rules released by security research Vitali Kremez shows that this breach has all the identifying marks of Maze malware. Further, the IoC included IP addresses of servers and file extensions known to be used in previous attacks by Maze ransomware actors.
The Maze attackers justified their Chubb attack by alleging:
We want to show that the system is unreliable. The cybersecurity is weak. The people who should care about the security of the information are unreliable. We want to show that nobody cares about the users. […] Now it’s our turn. We will change the situation by making irresponsible companies pay for every data leak.
Not that companies like Cognizant don’t monitor their systems but the problem is that today's viable software patches are tomorrow's weakest. You have to relentlessly update your system and make sure to stay alert. Also, attackers are quicker to find those flaws than you are.
The tips you use to defend against Maze apply to other malware families too. These include:
If a ransomware assault happens, experts recommend against paying, since this only encourages future attacks and doesn’t guarantee the recovery of the encrypted files.
As the Maze operators itself says, most malware infections are prevented by good security practices.