During the Covid-19 pandemic, Cognizant, the technology solution corp was hacked by Maze group causing huge service disruptions for the clients and the company. The victims are dealing with terrible times, with the pandemic and with the Maze group, the fear of exposure of sensitive internal documents to the public. The worst thing that the victims have to deal with is the government fines if the personally identifiable information is exposed. However in the interview with Bleeping Computer, the Maze operator denied any associated attacks. According to the news outlet, Maze has historically been reserved in discussing their association with cyber attacks.
On April 18, Cognizant Security Incident updated about how the company is responding to the Maze ransomware attacks. The company has been engaging with the appropriate law enforcement authority and getting help from cyber defense companies.The company has been communicating with their clients and has been providing them with the Indicators of Compromise (IOCs). The listed IOCs included IP addresses of servers and file hashes for the kepstl32.dll, memes.tmp, and maze.dll files. These IP addresses and files are known to be used in previous attacks by the Maze ransomware actors. There was also a hash for a new unnamed file, but there is no further information about it.
What is Maze Ransomware?
The Maze was discovered by Jerome Segura on May 29th, 2019 and the Maze is previously known in the community as “ChaCha ransomware”. The FBI warned U.S companies in December of an increase in Maze-related ransomware incidents. The Maze ransomware is unique than other ransomware because before encrypting files it steals a significant amount of data and sends them to a remote server controlled by the attacker. The objective is to sell the data on DarkWeb if the organization or individual refuses to pay the ransom amount.
According to McAfee Labs’ research, Maze shows that the ransomware is mainly spread through exploit kits such as Fallout and Spelevo; desktop connections with weak passwords; phishing emails impersonating government agencies. As mentioned above, Maze is based on “ChaCha” which uses its algorithms for encryption along with RSA-2048 and ChaCha 20 encryption. The ransomware instructs the victim how to pay for decryption by creating a ransom note under the file name DECRYPT-FILES.txt.
We live in an era where every company, every enterprise’s cyber resilience will be tested. While we do not know if the incident will be “Cyber Cold” or “Cyber Cancer”, enterprises should be more prepared to detect, contain, and eradicate hackers quickly.