Maze Ransomware

Figure: Statement published on Cognizant’s website

Though this statement does not reveal specific technical details, given the nature of Maze ransomware, this can be considered a full-fledged data breach. The company has stated that it has provided Indicators of Compromise (IOCs) and other technical information to its clients.

Just another ransomware, or is Maze unique?

This ransomware was first discovered in 2019 and has continued to make headlines by targeting high-profile organizations such as Southwire, a Georgia-based cable maker company; Chubb, a Swiss cyber-insurance company; and even cities like the city of Pensacola, FL.
Southwire went on to file a civil suit against the makers of this ransomware. The civil suit mentions a ransom demand of $6 million. Though Chubb admitted that it was hit by an unidentified attack, some researchers confirmed that the attackers were successful in stealing data from the Chubb servers a few weeks before the company confirmed the incident.
Maze differentiates itself from other ransomware variants through a tactic called “double extortion.” A generic ransomware variant is believed to encrypt the files and ask for ransom. This ransomware does not only ask for ransom after encrypting the stored files, but it also threatens to leak the compromised data if the ransom demands are not fulfilled.

Or, in the words of the attackers themselves,

“We’ve scrambled your sensitive files but will also leak them to the world if we don’t get what we want.”

In November 2019, when Allied Universal, an American security staffing company, refused to pay the demanded ransom of 300 Bitcoins ($2.3 million approximately), the attackers threatened to use sensitive information, email addresses, and domain name certificates in a spam campaign impersonating the company. According to a Threat Post report, the group behind the Maze ransomware is identified as TA2101. The said group has set up a webpage that contains a list of their non-cooperative victims. On this web page, they publish samples of stolen data, regularly.

As a security professional or decision-maker, should you be worried?

For companies based out of the US or the EU, a data breach is a serious incident as it brings regulatory oversight. At the same time, the company is liable for hefty fines if customer data is involved in the stolen data. Even if the attackers cannot reach a company’s privileged assets such as load balancers to their Microsoft RDP servers, the good-old techniques of phishing attacks with malicious links or email attachments, and drive-by downloads will still work.
Often, we have seen that successful security attacks involve weaknesses or vulnerabilities that have been discovered in the recent past. A company might suspect that there is a vulnerability in their IT infrastructure, but the real challenge lies in identifying such vulnerabilities before the attackers do. This is where BreachLock comes in and helps a business in finding and fixing their vulnerabilities to avoid a possible cybersecurity breach.
The attackers have not yet threatened Cognizant to publish their data; however, using stolen data as a bargaining tool is the typical behavior of cyber attackers using ransomware as their preferred technique. To minimize the damages, it is recommended that affected companies must treat such incidents as data breaches.

Preventing ransomware: 5 golden rules

1. Implement a strong password policy within your organization that prescribes minimum requirements for a password. Also, send regular reminders to your employees for updating their password.
2. Take regular backups of organizational data. Backups can be taken in the cloud or dedicated local storage. They serve as a strong line of defense for your organization against a 6-figure ransomware demand.
3. Many ransomware variants have exploited unpatched vulnerabilities in target systems. Implement a vulnerability management process that includes periodic vulnerability assessment and patch management so that vulnerabilities and identified and patches are installed across the organization, promptly. Having a penetration testing platform, such as BreachLock, helps organizations in performing automated vulnerability scans and penetration tests.
4. Weak RDP credentials are often exploited to launch targeted ransomware attacks. If the protocol is not required, turn it off. Use two-factor authentication (2FA) along with a virtual private network (VPN) if RDP is necessarily required.
5. Train your employees on good security etiquette. The training should cover finding trusted sources, checking the authenticity of emails, and other techniques to recognize various types of social engineering attacks. (We will be covering this point in detail in our next article).

Ransomware attacks, including Maze, though have unique signatures, but they rarely rely on highly sophisticated methods. The attackers intend to exploit known vulnerabilities as most organizations, whether big or small, either fail to identify or fail to mitigate an identified vulnerability on priority due to perceived complexity around the vulnerability management process. It has been BreachLock’s mission to remove the perceived complexities in the entire process with our unique approach and a highly intuitive SaaS platform that helps our clients in managing their entire vulnerability management lifecycle through a few clicks. BreachLock helps our clients by:

• Providing attack remediation support early in the attack cycle without requiring expert analysis or machine learning
• Protecting application workflows, file systems, processes, memory, libraries, and more during runtime
• Detecting threats based on behavioral anomalies due to malicious code, files, remote hackers, and trusted processes, irrespective of where an attack originates

As ransomware attacks become more frequent and widespread, organizations and security providers need to stand up to the challenge with innovative ways to make security easy to integrate.