Globally known IT services company Cognizant recently suffered a ransomware attack that was carried out by the operators of a ransomware variant called “Maze” ransomware.
The Maze ransomware was able to penetrate into the network and infect the “internal” systems of Cognizant, which also caused a service downtime for some of their clients.
On Saturday, the company confirmed this attack in a press release on their website saying, “Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack.”
Cognizant is serving at more than 166 locations (in 2019) globally and has an annual turnover of more than US$16 billion.
Further, in a statement, the company says, “Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident. Cognizant has also engaged with the appropriate law enforcement authorities.”
The company also emailed its clients that their systems had been compromised and also provided them a list of Indicators of Compromise (IOCs) and other technical information to monitor infection in the systems and secure them.
As reported by Bleeping computer, “The listed IOCs included IP addresses of servers and file hashes for the kepstl32.dll, memes.tmp, and maze.dll files. These IP addresses and files are known to be used in previous attacks by the Maze ransomware actors.”
“There was also a hash for a new unnamed file, but there is no further information about it.”
In a typical ransomware attack, the attacker simply encrypts the system files of a victim and asks for a ransom in order to recover those files.
But in the case of Maze ransomware, it was previously observed that the operators of this ransomware steal the unencrypted files first, save it on their server and then deploy a ransomware after encrypting those files.
The stolen files are then used for threatening a victim to pay a specific amount of ransom.
If the ransom demands aren’t met within a specific time, the threat actors of Maze then publish those files on their “News” site that is specially created for publishing the stolen data of non-paying victims.