The latest company to fall victim to a ransomware attack is Cognizant, a large US IT services company which admitted at the weekend that it had fallen victim to Maze.

The three-paragraph statement offers little detail except, perhaps, the most telling:

Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack.

That one word, Maze, hints that the company is already steeling itself to report the ransomware attack as a full-blown data breach.

Maze has been blamed for extorting a succession of large organisations since last summer, and is known for stealing as well as encrypting files in an innovation used by the criminals to increase the pressure on victims to pay up: We’ve scrambled your sensitive files but will also leak them to the world if we don’t get what we want.

For US companies, a data breach is a big deal which brings with it regulatory oversight as well as hefty potential costs if any customer information is found to be part of the stolen data.

It’s also commercially awkward to admit an attack is causing problems for customers even if the company is far from the only prominent name affected by Maze in recent months.

In late March, Swiss cyber-insurance company Chubb admitted it had been hit by an unidentified attack, which some took to confirm an unverified claim by the Maze gang that it had successfully stolen data from the company weeks earlier.

The attackers even, cheekily, justified their actions in a statement that reportedly began:

We want to show that the system is unreliable. The cybersecurity is weak. The people who should care about the security of the information are unreliable. We want to show that nobody cares about the users. […] Now it’s our turn. We will change the situation by making irresponsible companies pay for every data leak.

In January, Naked Security reported on a confirmed Maze attack in December which so annoyed the victim company, cable maker Southwire, that it filed a civil suit against its makers that mentioned the ransom demand of $6 million in Bitcoins.

If these and a series of others credited to Maze in recent weeks serve as a warning, what are they a warning against?

The short answer is a ragbag of tactics that read like a penetration test gone rogue.

That could include known vulnerabilities in any kind of privileged asset such as load balancers to Microsoft Remote Desktop Protocol (RDP) servers. If it can’t reach these directly, there’s always standard phishing attacks and boobytrapped Word attachments to fall back on in the search for a network foothold.

None of this is exactly hard to predict. In December, the FBI even put out a private warning about Maze tactics to US organisations.

The challenge is that today’s successful compromises reflect the security weaknesses that have built up from yesteryear. Companies sometimes suspect that they have weaknesses but simply fail to find them as quickly as the attackers do.

How to protect yourself from ransomware

  • Pick strong passwords. And don’t re-use passwords, ever.
  • Make regular backups. They could be your last line of defence against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
  • Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
  • Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off Remote Desktop Protocol (RDP) if you don’t need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
  • Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.


Beratung Consulting

Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.

Sophos Authorised Partner