Maze: The information technology services company Cognizant has announced that they are the most recent victim of the Maze Ransomware. According to Cognizant, the attack took place on Friday night, April 17th. The company quickly notified customers and included a “preliminary list of indicators of compromise (IOCs)” which included IP addresses and file hashes for keptl32.dll, memes.tmp, maze.dll, as well as a new unnamed file. Bleeping computer reached out to Maze for a comment, however, Maze is currently denying involvement in the attack. According to a follow-up statement from Cognizant, both their internal security term and an external security firm confirmed that the attack was the result of Maze ransomware.
Analyst Notes
Maze, like several other ransomware operators, will not typically discuss their victims publicly during the negotiation process. Many have assessed that this is in an effort to minimize the impact of outside factors on the negotiations. Maze will typically infiltrate an organization and attempt to operate without being detected for up to several weeks while they carry out reconnaissance activity and work to gain administrator-level access. It is recommended that organizations ensure that the Remote Desktop Protocol (RDP) and other remote access services are properly secured with a multi-factor authentication Virtual Private Network (VPN) as a means of defending against Maze’s typical Tactics, Techniques, and Procedures (TTPs.) It is also recommended that security teams use Endpoint Detection and Monitoring (EDR) tools or Managed Detection and Response (MDR) services to look for attacker behavior on endpoints from user accounts that are logged in through remote access. More information on this incident can be found at https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/
