Executive Summary: Cognizant, an IT services provider based in the US, has confirmed it has fallen victim to the Maze ransomware. Their statement was released over the weekend (Saturday 18th April), confirming that the security incident had caused disruption to some of their customers, and was followed by an update on Sunday 19th April to confirm that they had been in contact with affected customers, providing Indicators of Compromise (IoCs) and other technical data to aid in defence [1, 2]. No information has been released regarding the amount of customer data or number of systems which have been affected, though Cognizant’s initial statement did specify that the attack had affected their internal systems.
In a Bleeping Computer article, the group responsible for Maze ransomware denied responsibility for the attack . However, the group have historically been reluctant to discuss ongoing attacks until they are sure that no ransom will be paid, so it may yet be too early for the group to claim responsibility.
Maze ransomware attacks differ from typical ransomware attacks in that sensitive data is first copied from the victims network and is retained for further leverage; the group will threaten to publicly release the sensitive data if no ransom is paid. These tactics are now commonly used by ransomware groups, due to their effectiveness in pressuring organisations to pay ransoms. This is a problem for organisations that can otherwise recover from a ransomware attack through backup systems, as they are likely to have their sensitive data exposed to the Internet for not paying the ransom .
If the attack was carried out by the Maze ransomware group, there is a distinct possibility the attackers had maintained a presence in Cognizant’s network for an extended period, stealing data before finally deploying their ransomware. There is some speculation that the initial compromise was not the work of the Maze ransomware group, but rather another party who are reported to have been selling access to an unnamed “major IT provider” for $200,000 around one week before the Maze intrusion had been revealed. It is not currently possible to confirm or refute whether these events are related .
Maze ransomware has historically relied on prior compromise of the victim’s network, with researchers seeing the use of exploit kits such as Fallout and Spelevo, as well as insecure remote desktop connections and weak user credentials being exploited prior to the ransomware’s deployment.
Detect: Maze can be difficult to detect until it’s too late, given the preferred method of deployment; the Maze ransomware group will seemingly exploit any vulnerability to first gain a foothold before stealing data and deploying the ransomware, but known attack vectors include compromised RDP sessions, weak user credentials, and email impersonation, followed by use of the Fallout or Spelevo exploit kits.
The Maze ransomware uses RSA-2048 and ChaCha20 encryption. Victims will notice a ransom note in a file named ‘DECRYPT-FILES.html’ in each directory containing encrypted files. The note will state clearly that the ransomware used is Maze, and the victim will be instructed to contact the attackers via email.
Upon execution, the ransomware will scan to find files to encrypt, before appending a random file extension to encrypted files. It also attempts to connect to various websites over port TCP/80 for Command and Control (C2) communications. Maze will invoke wmic.exe in an attempt to delete shadow copies of encrypted files.
Researcher Vitali Kremez published a Yara rule to detect the Maze ransomware, which can be found here: https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-04-18-maze-ransomware-unpacked-payload.vk.yar
File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Further details of indicators and behaviour can be found at https://www.virustotal.com/gui/file/e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684/ detection.
Affected Products: Maze ransomware attacks target Windows operating systems in general; no particular build or version is specifically vulnerable.
Prevent: Given the nature through which Maze ransomware is deployed, and the additional tactics of data exfiltration, no specific instructions can be given to defend against a Maze attack. However, the Maze ransomware group favour traditional attack vectors to gain an initial foothold, so ensuring secure configuration and regular patching of operating systems and software, in line with manufacturer recommendations, is crucial and will go a long way to protecting against a Maze attack. Ensure systems are in place to detect and quarantine unauthorised applications when they are downloaded or execute. While data backups will not protect against the release of data upon refusal to pay a ransom, it will allow rapid data recovery and should still be maintained and monitored.
React: Ensure antivirus solutions are updated and monitor for indicators of compromise; in particular monitor for events associated with the Fallout and Spelevo exploit kits, or an increase in file access activity, including data being transferred out of your network. Confirm your backup policies are functioning as expected and provide suitable data recovery capability.