Cognizant Breach: 10 things to know about maze ransomware attacks

By on
Cognizant Breach: 10 things to know about maze ransomware attacks

Another Day, Another Victim

Cognizant is the latest solution provider to succumb to ransomware, with the systems integrator saying Saturday that the virulent Maze strain had locked up its own internal systems along with hitting some of its clients. The company said it deployed its own internal security along with leading cyber defense firms to contain the incident.

The ransomware attack has caused and may continue to cause an interruption in parts of Cognizant’s business, potentially resulting in a loss of revenue and incremental costs that negatively impact the company’s financial results, according to a filing the U.S. Securities and Exchange Commission (SEC) Monday. Cognizant’s stock is down US$0.95 (1.77 percent) to US$52.86 in trading Monday afternoon.

Despite being around for less than a year, Maze ransomware has wreaked havoc on businesses and municipalities throughout the world and been the subject of lawsuits, email impersonation attempts and trolling efforts.

From retaliating against a company that temporarily shut their news site down to distancing themselves from terrorist attack that coincided with the deployment of their ransomware, here are 10 things solution providers need to know about the maze ransomware attacks following the Cognizant breach.


10. Maze Ransomware Was Discovered In May 2019

Maze ransomware was discovered on 29 May 2019 by Malwarebytes security researcher Jerome Segura. Previously known as ChaCha ransomware, Segura discovered that Maze was being distributed by the Fallout exploit kit through a fake site pretending to be a cryptocurrency exchange app, according to BleepingComputer.

The adversaries created a fake Abra cryptocurrency site in order to buy traffic from ad networks, Segura told BleepingComputer in May 2019. Visitors to the cryptocurrency site would then be redirected to the exploit kit landing page under certain conditions, according to BleepingComputer.

Maze ransomware utilizes RSA and ChaCha20 encryption as part of the process, and upon execution, the ransomware scans for files to encrypt and appends different extensions to the files, according to BleepingComputer. The creators of Maze ransomware said the ransom amount would be different depending on whether the victim is a home computer, server or workstation, BleepingComputer said.


9. Maze Actors Will Release Victim Data If The Ransom Isn’t Paid

The main goal of Maze ransomware is to encrypt all files it can in an infected system and then demand a ransom to recover the files, according to a March 2020 McAfee Labs report. However, the most important characteristic of Maze is that the ransomware authors threaten to release the victim’s information on the internet if they do not pay, McAfee Labs stated.

The threat has not been an idle one as the files of several companies have been released on the internet. The Maze ransomware is hard programmed with some tricks to prevent reversing of it and to make static analysis more difficult, according to McAfee Labs.

The creators of Sodinokibi, Nemty, and BitPyLock ransomwares have followed Maze’s example, stating that they too will publish data stolen from victims if they don’t pay a ransom. Companies are more apt to pay a ransom if it costs less than the fines, data breach notification costs, loss of trade and business secrets, tarnishing of brand image, and potential lawsuits associated with disclosing personal data, according to BleepingComputer.


8. Maze Delivered Through Exploit Kits, Remote Desktop, Email Impersonation

The Maze ransomware historically relied on exploit kits, remote desktop connections with weak passwords or email impersonation to gain access to a user’s system. In addition to the Fallout exploit kit used from the outset, security researchers in October 2019 began spotting the Spelevo exploit kit infecting victims with Maze through a malicious campaign that exploited a Flash Player use-after-free vulnerability.

Upon successful exploitation, security researchers said the exploit kit will automatically download and install the Maze ransomware payload through arbitrary code execution, according to BleepingComputer. The critical vulnerability impacts users of Flash Players versions and earlier, BleepingComputer said.

Spelevo was previously seen by Cisco Talos dropping the IceD and Dridex banking trojans via a compromised business-to-business website, according to BleepingComputer. There was no way to decrypt for free the files that Maze ransomware encrypts as of October 2019, BleepingComputer said.


7. Email Impersonation Used To Infect Italian Manufacturers In October

A campaign distributing Maze ransomware to Italian users was detected on 29 October 2019 through emails impersonating the Italian Revenue Agency, according to a Proofpoint report released the following month. These emails came with a Word attachment that was using macros to run the ransomware in the system, Proofpoint found.

The email was targeted primarily at manufacturing companies and claimed to be a notification of law enforcement activities, stating that the recipient should open and read the attachment VERDI.doc in order to avoid further tax assessment and penalties, Proofpoint reported. The malicious document purported to be an RSA SecurID key used by the Italian Ministry of Taxation that must be enabled.

Once the content is enabled, Proofpoint said the malicious macro runs a PowerShell script, which in turn downloaded and installed a Maze ransomware payload onto the victim’s system. The campaign targeted IT support companies, which BleepingComputer said may have been an attempt to get backdoor access to an MSP so that the Maze ransomware could be pushed out to the MSP’s clients.


6. Massive Amounts Of Staffing Firm Data Leaked By Maze In November

The group behind Maze ransomware published almost 700 megabytes worth of data and files from stolen security staffing firm Allied Universal in November 2019, according to BleepingComputer. BleepingComputer was told that was only 10 percent of the total files stolen from Allied Universal, and that the rest would be released if a payment was not made.

The Maze actors told BleepingComputer at the time that they had encrypted ‘a lot’ of Allied Universal’s computers and were demanding approximately US$2.3 million to decrypt the entire network. Before encrypting any computer, the Maze actors claimed to always steal a victim’s files so that they can be used as further leverage to have the victim pay the ransom.

The actors posted a link on a Russian hacker and malware forum that contained files such as termination agreements, contracts, medical records, server directory listings, encryption certificates, and exported lists of users from active directory servers, BleepingComputer reported. The Maze actors threatened to conduct a spam campaign using Allied’s domain name and email certificates if they didn’t pay.


5. Maze Actors Strike City Of Pensacola Days After High-Profile Shooting

The operators behind the Maze ransomware said they were responsible for encrypting data from the City of Pensacola, Florida and demanded a US$1 million ransom for a decryptor, according to BleepingComputer. The city said on 11 December that it was slowly recovering with their mail servers back up and most of their landlines restored, BleepingComputer reported.

City employees, however, were unable to access their computers or the internet until all the issues were resolved, according to a Pensacola spokesperson. The city said its emergency dispatch and 911 serves weren’t impacted and continued to operate as normal.

The Maze operators said they had nothing to do with the terrorist attack at Naval Air Station (NAS) Pensacola that had occurred just days before the ransomware hit, and that the timing was coincidental. The Maze actors said they don’t have hospitals, cancer centers, maternity hospitals or other “socially significant services” and will actually decrypt any that get encrypted using Maze software for free.


4. Maze Actors Sued, Retaliate After Releasing Data From Cable Maker

Wire and cable maker Southwire was hit by Maze ransomware on 9 December 2019, which affected computing on a companywide basis. The Maze actors demanded approximately US$6 million of ransom paid it bitcoin, according to BleepingComputer.

Some time later, BleepingComputer said Maze operators published some Southwire data to a site they controlled that’s hosted by an ISP in Ireland after not getting paid by the company. Southwire then filed a lawsuit against Maze on 31 December that ended with the Maze news site being taken down temporarily, meaning that Southwire’s data was no longer available to the public, BleepingComputer said.

In response, BleepingComputer said Maze spread 14.1 gigabytes of Southwire files on a Russian hacking forum, and promised to release 10 percent of the company’s data every week until they got paid. In total, the Maze operators stole 120 gigabytes of Southwire data before encrypting 878 devices on the network, according to BleepingComputer.


3. Maze Actors Exfiltrate Immunology Research, Release Some Stolen Data

Maze ransomware operators on 23 January 2020, infected computers from Medical Diagnostics Laboratories (MDLab) and released close of 9.5 gigabytes of data stolen from infected machines. The files on 231 MDLab stations were encrypted on 2 December 2019, according to their website.

The infected computers stored tens of terabytes of data, but the Maze operators told Bleeping Computer that they exfiltrated 100 gigabytes of archives, which they plan to make public if the ransom isn’t paid. Some of the exfiltrated files relate to immunology research done by MDLab, according to BleepingComputer.

Maze told BleepingComputer that they directed MDLab to ransomware recovery company Coveware to negotiate the payment. Coveware, however, denied being involved in negotiations with Maze on MDLab’s part, and has a strict policy of not responding to referrals from ransomware actors, according to BleepingComputer.


2. Maze Developers Troll Researchers With Release Of New Malware Version

A new version of the Maze ransomware appeared in late January 2020 with a special text dedicated to some researchers in the security field in an attempt to be provocative and make fun of them, according to the McAfee Labs report. The Maze developers appear to have carefully selected the researchers and the psychological trick worked, McAfee Labs said, which all the researchers responding to the message.

“Without malware, your [sic] work will be boring as hell, what will you cover?” the Maze developers wrote in response to the security researchers. “I know you hate us, but you need to know that we love you researchers, without you our job also would be f****** boring as hell.”

The Maze ransomware developers are active on social media sites such as Twitter and familiar with the work of malware researchers, according to McAfee Labs. They also know how to provoke the researchers perfectly and like to play cat and mouse with them, McAfee Labs stated.


1. Maze Operators Threaten To Dump Data From Cyber Insurance Giant

The operators of the Maze ransomware claim to have encrypted the devices on the network of cyber insurance giant Chubb in March 2020, according to BleepingComputer. Maze has not published any of the allegedly stolen data, but have included the email address of executives such as CEO Evan Greenberg, COO John Keogh, and Vice Chairman John Lupica, according to BleepingComputer.

After encrypting victims, BleepingComputer said that Maze will create an entry on its news site as a warning to the victim that if they do not pay, their data will be published. Maze told BleepingComputer last month that they weren’t providing any further details of the Chubb attack at that time.

“We are currently investigating a computer security incident that may involve unauthorized access to data held by a third-party service provider,” Chubb told BleepingComputer in a statement last month. “We are working with law enforcement and a leading cybersecurity firm as part of our investigation. We have no evidence that the incident affected Chubb’s network.”



This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © 2018 The Channel Company, LLC. All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?