Incident of the Week: Cognizant Attacked By Maze

April 24, 2020

New Jersey-based IT giant, Cognizant, emailed their clients, last Friday, saying they had been compromised by Maze ransomware and included a "preliminary list of indicators of compromise identified through our investigation." Email recipients could use that forensic evidence to monitor and secure their systems.

The  24-year-old firm - contracted by Facebook to moderate its content and boasting clients in more than 80 countries - posted a statement on its website that confirmed the attack was by Maze Ransomware.  Hackers had likely crawled its network for weeks, if not longer, spreading through the system as they stole data and administrator credentials.

Maze denied its involvement, but if it were Maze it would typically have deployed its ChaCha ransomware and algorithms for encryption, following which it would have left a ransom note telling the victim how to pay for decryption.

All The Signs Of Maze Ransomware

Maze acts differently to other ransomware in that it not only encrypts the data on infected Windows machines, but also duplicates the original files as well. These they threaten to sell or publish on their “News” site, if the ransom remains unpaid.  As part of their “generosity”, Maze directs victims to its support site to help them pay the ransom. (The site even has an online chat service).

Operated by a band of skilled developers, McAfee notes that Maze ransomware is particularly difficult to thwart with technical means since:

It is a complex piece of malware that uses some tricks to frustrate analysis right from the beginning… and uses a lot of tricks to make analysis very complex by disabling disassemblers and using pseudocode plugins.

See Related: Finastra’s Ransomware Attack

Back in December, the FBI warned companies that it discerned an increase in its activities. Since then, Maze has hacked several major companies, including cyber insurer Chubb, accounting giant MNP, a law firm and an oil company.

Although Maze denied that it cracked Cognizant, a set of YARA rules released by security research Vitali Kremez shows that this breach has all the identifying marks of Maze malware. Further, the IoC included IP addresses of servers and file extensions known to be used in previous attacks by Maze ransomware actors.

How Do You Protect Yourself From Maze Ransomware?

The Maze attackers justified their Chubb attack by alleging:

We want to show that the system is unreliable. The cybersecurity is weak. The people who should care about the security of the information are unreliable. We want to show that nobody cares about the users. […] Now it’s our turn. We will change the situation by making irresponsible companies pay for every data leak.

Learn More: How to Manage Ransomware Attacks Against Your Remote Workforce

Not that companies like Cognizant don’t monitor their systems but the problem is that today's viable software patches are tomorrow's weakest. You have to relentlessly update your system and make sure to stay alert. Also, attackers are quicker to find those flaws than you are.

A Handful Of Tips To Use Against Maze

The tips you use to defend against Maze apply to other malware families too. These include:

  • Clicking only on legitimate links in emails. Phony links could infect your device
  • Using strong passwords. McAfee notes Maze tends to target desktop connections with weak passwords.
  • Training your group on how ransomware spreads
  • Monitoring network traffic for suspicious behaviors or anomalies
  • Conducting regular backups to save your data in the event of an infection
  • Ensuring that all software, including current Windows security patches, are up to date.
  • Buying a reliable antivirus package

If a ransomware assault happens, experts recommend against paying, since this only encourages future attacks and doesn’t guarantee the recovery of the encrypted files.

As the Maze operators itself says, most malware infections are prevented by good security practices.

Read More: Incident Of The Week

Read the original article and additional information at Cyber Security Hub