The IT services enterprise, Conduent, which provides HR and payment infrastructure to “a majority of Fortune 100 companies and over 500 governments,” was hit by a Maze ransomware attack on May 29, 2020. A week later, on June 5, a U.S. subsidiary of ST Engineering Aerospace discovered Maze ransomware breached their systems as early as March.
Maze ransomware targets corporate networks that run on Windows OS. Its danger and uniqueness lie in its ability to both encrypt data, leaving it inaccessible to an organization, and steal it with the intent to hold it hostage and/or sell it on the dark web. In fact, Maze even boasts about their “new clients”--that is, corporations who refuse to pay the ransom--on their Dark Web website, complete with proof of stolen data.
See Related: Cognizant Attacked By Maze
Conduent was running unpatched Citrix VPNs for at least eight weeks, leaving them vulnerable to a known weakness in the code execution. Conduent experienced a service interruption for about nine hours on May 29th. The system of Conduent’s European operation spotted the ransomware quickly, and the breach was addressed by cybersecurity protocols.
In the case of ST Engineering Aerospace, the breach went undetected for much longer. It is believed that Maze ransomware was embedded to a phishing email that, when opened, infected the machine and began encrypting files.
While Conduent hasn’t explicitly named Maze as the perpetrator of its breach, Maze’s Dark Web page lists stolen Conduent data and customer audits. The page also lists ST Engineering Aerospace contract details with various governments of countries like Peru and Argentina, government-related organizations like NASA, and air carriers like American Airlines as stolen. Project plans and financial records were also part of the aerospace breach. It appears that the 1.5TB of data stolen from ST Engineering was released after the organization decided not to pay the ransom.
Conduent’s spokesman, Sean Collins, says, “As our investigation continues, we have on-going internal and external security forensics and anti-virus teams reviewing and monitoring our European infrastructure.” Additionally, law enforcement encourages all enterprises to improve cyber practices including multifactor authentication and regular system patching.
See Related: The Cost Of An Enterprise Ransomware Attack
In ST Engineering’s case, vice president an general manager of the VT San Antonio Aerospace subsidiary released this statement: “Upon discovering the incident, the company took immediate action, including disconnecting certain systems from the network, retaining leading third-party forensic advisors to help investigate, and notifying appropriate law enforcement authorities.
“As part of this process, we are conducting a rigorous review of the incident and our systems to ensure that the data we are entrusted with remains safe and secure. This includes deploying advanced tools to remediate the intrusion and to restore systems. We are also taking steps to further strengthen the company’s overall cybersecurity architecture."
Naturally, all breaches and ransomware threats should be reported to the authorities, but is it advantageous for your organization to pay the ransom? It depends, says a Tripwire article by Graham Cluley. “That ultimately is a decision that only you can make. Bear in mind that the more companies that pay a ransom, the more the criminals are likely to launch similar attacks in the future. At the same time, you may feel that your business needs to make the difficult but pragmatic decision to pay the criminals if you feel your company cannot survive any other way.”
Regardless, paying a ransom doesn’t leave you in the free and clear. While breaches are inevitable, a strong cyber solution that includes the five parts of NIST ensures that your organization maintains the safety and integrity that is expected of today’s enterprises.