Padlock on keyboard showing Maze ransomware attack

Maze Ransomware Attack on Cognizant May Impact Customers

Cognizant has admitted that it was recently hit by a Maze ransomware attack. Without divulging many details, the company said it was engaging with law enforcement authorities regarding the latest incident. The New Jersey-based company is a Fortune 500 companies offering with IT services and with an annual revenue of $16.8 billion last year. The company operates in over 80 countries and has more than 290,000 workers. Despite the latest admission, Maze ransomware operators have vehemently denied being behind the ransomware attack. The company says it has maintained communication with its clients and is providing them with indicators of compromise (IOCs) and other technical information for defensive purposes. The FBI had warned businesses of an increase in Maze ransomware attacks since December.

Details of the Cognizant Maze ransomware attack

The company acknowledged the attack on a statement released on its website.

“Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack,” the statement read. “Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident.”

The ransomware operator has not published any data online, indicating that negotiations might still be taking place. Research by Chainalysis Insights shows that companies are more unwilling to pay ransom during the current coronavirus pandemic, thus forcing the cybercriminals to adopt a softer approach.

The company did not disclose how the ransomware operator gained access to its systems. However, a security vulnerability had been discovered on the Citrix server that runs Cognizant’s Trizetto healthcare solutions system. Cognizant had already patched the flaw in mid-February. This indicates that had the ransomware operators exploited the vulnerability, they must have infiltrated the system much earlier.

The cybersecurity firm, Under the Breach, also speculates that a third-party carried out the attack and sold the data to Maze ransomware operators. The firm notes that there was an ad for a huge IT firm’s data selling for $200,000 just a few days before Cognizant’s exploit. The ad was removed just a day before the ransomware attack took place. It is, therefore, possible that the two incidents were related.

Cognizant is not the only company to be hit by the Maze ransomware attack. The ransomware operator had successfully launched attacks against Hammersmith Medicines Research, insurance firms Chubb Insurance, US Administrator Claims, Madison Insurance Group, Cornerstone Underwriting Partners, AIC Underwriters, and Jackson Plaza. Other insurance companies affected by Maze ransomware attacks include Omaha-based Applied Underwrites and American Builders Insurance Company in Alabama.

However, the attack on an IT services Fortune 500 company is more significant because of the chain reaction it causes. Cognizant provides essential services to companies such as Mitsubishi Motors, PeopleSoft, and financial services companies such as ING and Standard Life. Cognizant CEO Brian Humphries said the attack had not affected the clients’ networks.

If the stolen data is sold in the black market, clients face elevated risks of fraud through identity theft. The customers could also become victims of future attacks through phishing once the cybercriminals acquire personal information about them. The damage caused by the leaking of customer data is almost impossible to contain.

The operation of a Maze ransomware attack

Maze ransomware relies on exploit kits that take advantage of known software vulnerabilities. The company also tricks users into downloading infected files as well as opening phishing emails.

Because the ransomware operators have denied involvement, cybersecurity experts identify the attack from its IOCs typical of a Maze ransomware attack. According to BleepingComputer, the IP addresses and hashes used in Cognizant’s attack had been used in Maze ransomware attacks elsewhere.

Unlike other ransomware attacks, Maze ransomware attack not only encrypts the individual computers but also spreads across the entire network affecting every other machine. The ransomware then sends data to the attacker’s server, where it is held for ransom. The ransomware operator publishes the data if the victim refuses to pay.  Maze ransomware also denies the user access to the system hence interrupting business operations. Cognizant has already warned that the attack will disrupt its operations and is likely to cause a fall in profits as well as a rise in operational costs.


Updated (May 13, 2020): Corrected “annual profit of $16.8 billion” to “annual revenue of $16.8 billion last year”