Cognizant one of the largest IT managed services company in the world having around 300,000 employees and over $15 billion in revenue suffered a maze ransomware cyber-attack.
Cognizant remotely manages its clients through end-point clients, or agents, that are installed on customer’s workstations to push out patches, software updates, and perform remote support services.
The company sent emails to their clients last weekend stating that they had been compromised and also included a list of indicators of compromise |(IOC) identified based on their investigation. The clients could use this information to monitor their systems and secure them.
The IOC includes IP addresses of servers and file hashes for the kepstl32.dll, memes.tmp, and maze.dll files. These IP addresses and files were used in previous attacks by the Maze ransomware actors. Also, a hash for a new unnamed file was included.
Security research Vitali Kremez has released a rule that can be used to detect the Maze Ransomware DLL. However, the Maze operators denied being responsible for this attack.
It is likely that Maze is not discussing about it in order to avoid complications in what they hope would be potential ransom payment.
Cognizant later posted a statement on their web site confirming that the security incident was by Maze Ransomware. They also stated they have informed the law enforcement authorities and their internal security teams together with leading cyber defense firms, are taking active measures to contain this incident.
It is believed that if the Maze operators performed this attack, they were present in Cognizant’s network for weeks.
Usually, before deploying ransomware, the Maze operators always steal unencrypted files before encrypting them. So, it can be considered as a data breach. The stolen files are then used as a leverage to make the victims pay the ransom by threatening to release the data if the payment is not made.