“A security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack”
Another IT services heavyweight has fallen victim to a ransomware attack, with the US’s Cognizant — a $16.8 billion by 2019 revenue stalwart of the Fortune 500 — admitting over the weekend that a “Maze ransomware attack” had hit internal systems and was causing service disruption for clients.
A short statement, published Saturday provides little detail on extent of compromise or how many customers were facing impact.
Among other services, Cognizant provides a wide range of outsourced IT services for the financial services sector — a sector that accounted for over $5.8 billion of its total revenues in 2019. (See chart below).
The New Jersey-based company said: “Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack.”
Cognizant, which employs around 300,000 people globally, has contacted law enforcement and provided Indicators of Compromise (IoC)s to partners it said, without revealing the initial delivery vector.
The incident comes hot on the heels of a ransomware attack on major UK financial services technology provider Finastra last month; an incident which saw estimated hundreds of millions of dollars in transactions frozen as the company unplugged servers to prevent the ransomware spreading further.
(It has since worked through databases to process payments manually as it restored systems).
Spain’s largest IT consultancy, Everis, owned by NTT Data, was also hit by ransomware in November 2019.
Cognizant Hacked: What is the Maze Ransomware?
The cyber criminals behind the Maze ransomware use a range of different techniques to gain entry to the companies it is targeting, including exploits kits, remote desktop connections with weak passwords or sophisticated phishing campaigns. The ransomware itself is sophisticated, with a bag of tricks baked into its code to avoid detection by security programmes.
Those behind the ransomware have pivoted to data theft before encrypting information as leverage to get organisations to pay the ransom and regular leak snippets of stolen files to a dedicated “Maze news” website.
The malware itself is a binary file of 32 bits, usually packed as an EXE or a DLL file, according to a March 2020 McAfee analysis, which noted that the Maze ransomware can also terminate debugging tools used to analyse its behaviour, including the IDA debugger, x32dbg, OllyDbg and more processes, “to avoid dynamic analysis, close databases, office programs and security tools”.
The UK’s NCSC recently warned that diverse forms of online backup are also increasingly being encrypted in ransomware attacks. In a February 2020 warning, the NCSC said that it has seen “numerous incidents where ransomware has not only encrypted the original data on-disk, but also connected USB and network storage drives holding data backups.
“Incidents involving ransomware have also compromised connected cloud storage locations containing backups.”
Has your business been affected by the Cognizant incident? Get in touch with our editor ed (dot) targett (at) cbronline (dot) com .