Imagine writing an important work email and suddenly losing access to everything. Or receiving a vicious error message demanding bitcoin to decrypt your computer. There can be many different scenarios, but one thing remains the same for all ransomware attacks—the attackers always provide instructions on how to get your access back. Of course, the only catch is that you must first provide a hefty amount of ransom upfront.
A devastating type of ransomware known as the “Maze” is making the rounds in the world of cybersecurity. Here’s what you need to know about Cognizant Maze ransomware.
What is the Maze Ransomware?
Maze ransomware comes in the form of a Windows strain, distributed through spam emails and exploit kits demanding hefty amounts of bitcoin or cryptocurrency in return for the decryption and recovery of stolen data.
The emails arrive with seemingly innocent subject lines like “Your Verizon bill is ready to view” or “Missed package delivery” but originate through malicious domains. Rumor has it that Maze is affiliate-based ransomware operating through a network of developers that share profits with different groups that infiltrate into corporate networks.
To come up with strategies to protect and limit exposure from similar attacks, we should reflect on the Cognizant Maze…
The Cognizant Maze Ransomware Attack
In April 2020, Cognizant, a Fortune 500 company and one of the biggest global providers of IT services, became a victim of the vicious Maze attack that caused immense service disruptions across the board.
Due to the deletion of internal directories carried out by this attack, several Cognizant employees suffered from communication disruptions, and the sales team was left baffled with no way to communicate with clients and vice versa.
The fact that the Cognizant data breach happened when the company was transitioning employees to work remotely due to the Coronavirus pandemic made it more challenging. According to the report by CRN, the employees were forced to find other means to contact coworkers due to the lost email access.
“Nobody wants to be dealt with a ransomware attack,” said Cognizant CEO, Brian Humphries. “I personally don’t believe anybody is truly impervious to it, but the difference is how you manage it. And we tried to manage it professionally and maturely.”
The company quickly destabilized the situation by acquiring the help of leading cybersecurity experts and their internal IT security teams. The Cognizant cyberattack was also reported to the law enforcement agencies and Cognizant clients were provided with constant updates on the Indicators of Compromise (IOC).
However, the company did incur substantial financial damages due to the attack, amassing up to a whopping $50-$70 million in lost revenue.
Why Is Maze Ransomware a Double Threat?
As if getting affected by Ransomware weren’t bad enough, the inventors of the Maze attack threw in an extra twist for the victims to contend with. A malicious tactic known as “double extortion” is introduced with a Maze attack where the victims are threatened with a leak of their compromised data if they refuse to co-operate and meet the ransomware demands.
This notorious ransomware is rightly called a “double threat” because, apart from shutting down the network access for employees, it also creates a replica of the entire network data and uses it to exploit and lure the victims into meeting the ransom.
Unfortunately, the pressure tactics by the Maze creators do not end here. Recent research has indicated that TA2101, a group behind the Maze ransomware, has now published a dedicated website that lists all their non-cooperative victims and frequently publishes their stolen data samples as a form of punishment.
How To Limit Maze Ransomware Incidents
Mitigating and eliminating the risks of ransomware is a multi-faceted process where various strategies are combined and customized based on each user case and the risk profile of an individual organization. Here are the most popular strategies that can help stop a Maze attack right in its tracks.
Enforce Application Whitelisting
Application Whitelisting is a proactive threat mitigation technique that allows only pre-authorized programs or software to run while all the others are blocked by default.
This technique helps immensely in identifying illegal attempts to execute malicious code and aids in preventing unauthorized installations.
Patch Applications and Security Flaws
Security flaws should be patched as soon as they are discovered to prevent manipulation and abuse by attackers. Here are the recommended timeframes for applying patches promptly based on the severity of the flaws:
- Extreme risk: within 48 hours of a patch being released.
- High risk: within two weeks of a patch being released.
- Moderate or low risk: within one month of a patch being released.
Configure Microsoft Office Macro Settings
Macros are used to automate routine tasks but can sometimes be an easy target for transporting malicious code into a system or computer once enabled. The best approach is to keep them disabled if possible or have them assessed and reviewed before using them.
Employ Application Hardening
Application Hardening is a method of shielding your applications and applying extra layers of security to protect them from theft. Java applications are very prone to security vulnerabilities and can be used by threat actors as entry points.It is imperative to safeguard your network by employing this methodology at the application level.
Restrict Administrative Privileges
Administrative privileges should be handled with an abundance of caution as an admin account has access to everything. Always employ the Principle of Least Privilege (POLP) when setting up accesses and permissions as that can be an integral factor in mitigating the Maze ransomware or any cyberattack for that matter.
Patch Operating Systems
As a rule of thumb, any applications, computers, and network devices with extreme risk vulnerabilities should be patched up within 48 hours. It is also vital to ensure only the latest versions of operating systems are being used and avoid unsupported versions at any cost.
Implement Multi-Factor Authentication
Multi-Factor Authentication (MFA) adds an extra layer of security as multiple authorized devices are required to log in to remote access solutions like online banking or any other privileged actions that require the use of sensitive information.
Secure Your Browsers
It is important to ensure that your browser is always updated, pop-up ads are blocked, and your browser settings prevent the installation of unknown extensions.
Verify if the websites you are visiting are legit by checking the address bar. Just remember, HTTPS is secure while HTTP is considerably less so.
Employ Email Security
The main method of entry for the Maze ransomware is via email.
Implement multi-factor authentication to add an extra layer of security and set expiration dates for passwords. Also, train yourself and staff to never open emails from unknown sources or at least not download anything like suspicious attachments. Investing in an email protection solution ensures the safe transmission of your emails.
Make Regular Backups
Data backups are an integral part of a disaster recovery plan. In the event of an attack, by restoring successful backups you can easily decrypt the original backed-up data that was encrypted by the hackers. It is a good idea to set up automated backups and create unique and complex passwords for your employees.
Pay Attention To Affected Endpoints and Credentials
Last but not least, if any of your network endpoints have been affected by the Maze ransomware, you should quickly identify all the credentials used on them. Always assume that all endpoints were available and/or compromised by the hackers. The Windows Event Log will come in handy for the analysis of post-compromise logons.
Dazed about the Cognizant Maze Attack?
The Cognizant breach left the IT solutions provider scrambling to recuperate from immense financial and data losses. However, with the help of top cybersecurity experts, the company quickly recovered from this vicious attack.
This episode proved just how dangerous ransomware attacks can be.
Besides the Maze, there’s a plethora of other ransomware attacks carried out by vicious threat actors daily. The good news is, with due diligence and stringent security practices in place, any company can easily mitigate these attacks before they strike.