The IT services firm Cognizant experienced a ransomware attack over the weekend that has affected its internal systems and has caused some disruption for its clients. The Fortune 500 firm is one of the largest IT services providers in the world, with more than a quarter of a million employees and revenues in excess of $16.8 billion in 2019. Cognizant has a diverse range of clients that include several Fortune 500 firms, along with many banks, healthcare providers, pharmaceutical companies, educational organizations, retail firms, manufacturers, and communications, media, and technology companies.
Few details about the nature and extent of the ransomware attack have been released at this stage and it is unclear about the extent of the attack and how many of the firm’s clients have been affected. The New Jersey firm did issue a statement saying some service disruption is being experienced by its clients as a result of the Maze ransomware attack. “Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident,” said Cognizant. “The integrity and availability of our systems are of paramount importance to Cognizant and we are working diligently to minimize any disruptions.”
The company has notified law enforcement about the attack and has shared indicators of compromise (IoCs) that could be used by others to identify and defend against future attacks.
The Maze ransomware gang is known to use a variety of techniques to attack victims, but it is currently unclear which method was used to attack Cognizant. The Maze gang conducts manual ransomware attacks that first involve gaining access to systems, then they move laterally before deploying the ransomware payload. Prior to encrypting files, the Maze ransomware gang exfiltrates data and threatens to release that data publicly if the ransom is not paid.
In what is believed to be a first for a threat group, a press release was issued stating the group will not be attacking healthcare organizations that are on the front line in the fight against COVID-19; however, attacks on other companies are continuing.
The Maze ransomware gang has not yet published any Cognizant data on its website and has denied conducting the attack; however, independent security researchers have confirmed that the IP addresses and infrastructure used in the attack are associated with the Maze gang and have been used in several attacks for which the threat actors have taken credit.