IT services provider Cognizant hit by 'Maze' ransomware attack

The company says it has informed appropriate law enforcement authorities

Tech services provider Cognizant Technology Solutions (CTS) stated on Saturday that it was hit by a Maze ransomware cyber attack, resulting in service disruptions to some its clients.

The company said that it was taking appropriate measures to contain the attack and also investigating the security incident with the help of cyber security experts. Appropriate law enforcement authorities have also been informed about the incident, it revealed.

"Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack," the company said on its website.

"We are in ongoing communication with our clients and have provided them with Indicators of Compromise (IOCs) and other technical information of a defensive nature."

The IOCs provided to clients included IP addresses of servers as well as file hashes for the maze.dll, memes.tmp and kepstl32.dll files, which Maze operators have used in their earlier attacks against other entities.

When Maze operators were approached by security blog BleepingComputer about their role in cyber attack against Cognizant, they denied their involvement.

But the refusal does not necessarily mean that Maze group is not involved in the incident, says Brett Callow, a threat analyst at Emisoft.

"At this point in time, groups are likely not finding it so easy to extort money from companies as many are financially distressed due to the Covid-19 pandemic," Callow said.

The hackers who deploy Maze ransomware have made headlines in recent months for encrypting computers of a large number of organisations across the world. The group threatens to leak confidential information of organisations that refuse to pay ransom to the group.

Last month, Maze operators claimed that they attacked insurance giant Chubb in March and stole a large amount of personally identifiable information from its systems. In this case, the group did not release any of the stolen data publically, except the email addresses of some executives.

Earlier in January, Maze operators threatened to release the data stolen from several victims who had refused to pay the ransom. At that time, the group had listed the names of nearly 25 victims on its website, including Busch's Inc., Southwire, BST & Co., MDL, RBC, Lakeland Community College, Bakerwotring, Vernay, Groupe Igrec, BILTON, THEONE, Fratelli Beretta, Groupe Europe Handling, Mitch Co International, Auteuil Tour Eiffel, and Randalegal.

In December, the group published a subset of data stolen from wire and cable manufacturer Southwire after the company refused to cooperate with their $6 million ransom demand.