Cyberattack on IT services giant Cognizant impacts clients

The Maze ransomware group is believed to be responsible for the attack, and it typically blackmails victims by demanding payment to decrypt stolen files.

Ransomware: A security expert explains what makes us vulnerable and how to prevent it

IT services firm Cognizant suffered a cyberattack on its internal systems by the Maze ransomware group, causing disruption for some of its global clients. The firm said in a statement that its "internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident."

Affected clients have been notified, and Cognizant has provided them with available indicators of compromise and other technical information, the firm said.

Cognizant is one of the largest IT-managed services companies in the world and has close to 300,000 employees and over $15 billion in revenue. It provides IT services to companies in several verticals, including manufacturing, financial services, oil and gas, technology, and healthcare.

Cognizant has been in contact with "the appropriate law enforcement authorities,'' according to a filing with the U.S. Securities and Exchange Commission (SEC) Monday.

"Although we are in the early stages of assessing this incident, the attack has caused and may continue to cause an interruption in parts of our business and may result in a loss of revenue and incremental costs that may adversely impact our financial results, the filing said.

SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)

Managed service providers (MSPs) are frequent targets of ransomware attacks because they provide services to other businesses and malicious actors exert pressure on them to pay ransom demands quickly.

The Maze hacking group attempts to blackmail its victims by demanding a ransom payment to decrypt files in a company's computer systems and threatening to publish confidential files stolen from the company's computer systems unless its demands are met. The group regularly publishes confidential data stolen from companies on internet forums.

The group uses exploit kits, which contain software designed to attack known software vulnerabilities to penetrate company defenses. The hacking group has also used phishing emails to deliver malware to employees who may be tricked into downloading malicious software.

Cognizant has not disclosed how the attackers were able to access its systems.

Maze has been blamed for extorting a succession of large organizations since last summer, according to security firm Sophos. In addition to stealing information, it is also known for encrypting files to up the ante to get victims to pay up, Sophos said.

"For US companies, a data breach is a big deal [and] brings with it regulatory oversight as well as hefty potential costs if any customer information is found to be part of the stolen data,'' the firm said. "It's also commercially awkward to admit an attack is causing problems for customers even if the company is far from the only prominent name affected by Maze in recent months."

SEE: Malware response checklist (TechRepublic Premium)

Cognizant is the latest in a string of victims the Maze ransomware has targeted. In late March, Swiss cyber-insurance company Chubb admitted it had been hit by an unidentified attack. Also last month, UK-based Hammersmith Medicines Research, which was planning to test coronavirus vaccines, was also reportedly hit by Maze ransomware.

"Maze has been causing havoc across the IT world since late last year,'' said Craig Taylor, CISO of managed security services firm Neoscope, and CISO for the city of Portsmouth, NH. "This ransomware is particularly bad because of the data exfiltration aspect of it and the threat of releasing such information on a Maze dark web server. That puts an important twist on ransomware attacks."

Traditional attacks only impact data availability, added Taylor, who is also cofounder of CyberHoot, a cybersecurity training program. "However, this new twist also impacts data confidentiality."

Taylor said he believes the addition of a confidentiality risk will lead to more companies being attacked by Maze ransomware to pay the ransom. "Strong backups are not sufficient to ignore this threat anymore,'' he said. "The costs of not paying the ransom have just gone up 10x to possible 100x."

The criminals behind the Maze ransomware attacks reportedly managed to exfiltrate a number of patient records, some of which were subsequently published on the dark web, demanding ransom payment, according to HealthcareITNews.

Last December, the FBI issued a private warning about Maze tactics to organizations, Sophos said.

Overall, ransomware attacks have proliferated since the pandemic forced record numbers of people to work remotely, and security teams have been more challenged protecting data due to widely varying setups on home computers, experts say. Software and security company VMware Carbon Black reported that ransomware attacks it monitored jumped 148% in March from the previous month, as governments worldwide curbed movement to slow the spread of the novel coronavirus.

Also see

Businessman standing in front of the entrance to the maze. Solution concept. 3d rendering

Image: Getty Images/iStockphoto