This article is more than 1 year old
Bad news: Cognizant hit by ransomware gang. Worse: It's Maze, which leaks victims' data online after non-payment
IT services biz warns customers could be at risk of infection, too
New Jersey IT services provider Cognizant has confirmed it is the latest victim of the Maze ransomware.
The infection was disclosed to the public this weekend. Cognizant said the malware outbreak will likely disrupt service for some of its customers, and possibly put them in danger as well.
Maze is unusual among ransomware strains in that it not only encrypts the data on infected Windows machines, it siphons off copies of the originals as well. This gives the malware's masterminds extra leverage – don't pay the ransom and confidential corporate data can be leaked or sold online. It is feared Maze may have infected Cognizant's customers, via the US service provider, and if that did happen, those clients' documents may have been stolen as well as scrambled.
"Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack," the announcement read.
Oh-so-generous ransomware crooks vow to hold back from health organisations during COVID-19 crisisREAD MORE
"Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident. Cognizant has also engaged with the appropriate law enforcement authorities."
An update on Sunday included a rather ominous warning for customers: "We are in ongoing communication with our clients and have provided them with Indicators of Compromise (IOCs) and other technical information of a defensive nature," Cognizant said.
Cognizant provides on-premises and cloud-hosted IT services for companies as well as consultancy gigs. The biz has high-value customers in areas such as banking, health care, and manufacturing, and it is ranked in the Fortune 500, so any large-scale attack on its systems is potentially serious.
The Maze miscreants may not have been the ones to actually compromise the Cognizant network, though. Monitoring service Under the Breach claimed its team spotted someone selling access to an unnamed "major IT provider" for $200,000 roughly a week before the intrusion was revealed, leading it to speculate the Maze crew purchased access to Cognizant's systems from another hacker who performed the task of actually breaking into the network.
The strategy of leaking data if its demands aren't met is one favored by the ransomware gang, leading to a new threat for organizations that would otherwise just wiped the ransomware-infected devices and restored from backups without paying the ransom.
Additionally, the Maze ransomware is particularly well-written and difficult to thwart with technical means.
"Maze is a ransomware created by skilled developers," McAfee noted in its examination of the code. "It uses a lot of tricks to make analysis very complex by disabling disassemblers and using pseudocode plugins." ®