The “ChaCha ransomware”, more recently known as the Maze ransomware was first discovered on 29th May, 2019 by Jerome Segura, an author at Malwarebytes who also works there as the lead malware intelligence analyst. The reason that the Maze ransomware is being discussed in today’s article is because of its recent attack on the US based IT service giant-Cognizant.
Briefing on Maze
The main goal of the Maze ransomware is to encrypt all the files that it is able to find in the victim’s system and then demand a ransom to recover those encrypted files from the helpless user. The most significant characteristic of this ransomware is that the author of this malware personally threats the victim to release all of the user’s information on the internet incase the victim refuses to pay the demanded ransom.
Thus, it becomes a problem for big tech giants like Cognizant in our case who can suffer tremendous amounts of loss in case their confidential information and relevant data is released online. Now, coming to this distinct threat that the ransomware uses is not an idle one because the files of one such company were indeed released on the internet when they refused to pay heed to their threats. Although the company sued, damage due to the losses was already done. Such behavior from ransomwares is growing and now is prominent even in other recent ransomwares such as Sodinokibi, Nemty, Clop and many others.
The below figure shows the telemetry map of Maze Infections in the world.
The Attack on Cognizant
The IT services giant Cognizant confirmed that their system was disrupted by the Maze ransomware attack that took place on Friday evening. The cyberattack according to them, has caused several service disruptions.
Cognizant is a fortune 500 company and has 300,000 employees worldwide. It is worthy to note that in wake of such cases in big companies like these, lot of formalities need to be done in order to assure their customers safety and keep their confidence in the company. Cognizant in this case had to issue IoCs- Indicators of compromise to their customers along with other technical details of the attack.
The company statement read- “Our internal security teams, supplemented by leading cyber-defense firms, are actively taking steps to contain this incident”. The way Cognizant was attacked by the ransomware is not yet publicly declared by the company but this latest attack by the ransomware on IT service providers just shows that the gang behind Maze is not going to back down so easily.
It seems that the hackers behind this attack have not yet threatened the company of publishing their confidential data online but thigs could be worse if the attackers start to leverage data as a bargaining tool with the company. It is therefore necessary for companies like these to treat such incidents as that of a data-breach.
If you are wondering how does the ransomware actually look on the infected system, we have explained it below with relevant images.
1. As soon as the ransomware infects the system, a webpage for making the payment requested by the attackers is released as a ransom note. The attackers give a price and also verify that all the information is correct.
2. The Maze ransomware has evolved to an extent that it also houses a chat function to contact the operators and receive information regarding the obtaining of cryptocurrency required to make the payment to them. The reason cryptocurrency is used is so that the transaction is completely anonymous. Thanks to Blockchain technology. Also, like many other ransomwares, Maze also offers the victim three trial decryptions for free so that the victim is assured that it isn’t a scam and that his data is genuinely compromised.
The IT industry is a very competent one. When one tech-giant gets affected, smart companies should take cues that they too could be the next. This has made Cognizant peers like TCS, Infosys, Wipro and many other Indian IT giants nervous. This attack has put Indian giants on alert to continuously monitor their own systems.
The IT Industry has already said that the Maze ransomware attack will have a big impact on the company revenue and operations in the coming year. One significant reason for such ransomware attacks could be due to working from home on unsecure networks but IT giant Infosys denies such claims. Other ways to exploit the system like phishing and malware also pose to be a great risk when working from home. No doubt cyber criminals have become more productive and active during the coronavirus lockdown.
How are IT giants tackling this disaster?
IT giant TCS has shifted from the concept of ODCs (Offshore Development Centers) to SBWS (Secure Borderless Workspaces). Along with the previous measures, it is also looking into solutions whereby the company can help its employees work from home without compromising on security. The Maze ransomware may just be a year old but it has already damaged sufficient enough to the businesses and the governments. To understand, the below graph shows the amount of ransom paid to such malwares.
Maze is a ransomware created by skilled developers. It uses a lot of tricks to make analysis very complex by disabling disassemblers and using pseudocode plugins. It poses a big problem to individuals and enterprises that do not pay as the developers threaten to release the information if they do not receive payment and they do indeed keep their word on that. More and more ransomwares are exhibiting the same behavior and we expect to see more of it this year and perhaps further into the future too.
The malware developers are active on social media sites, such as Twitter, and they are familiar with the work of malware researchers. They also know how to provoke them perfectly and they like to play cat and the mouse with them.
We recommend making periodic backups of files and keeping them isolated off the network and having an always updated antivirus in place. The latest software patch should also be applied. Remote Desktop Connections that are not needed should be avoided. Avoid suspicious emails and do not open attachments that come from anyone that you do not know. The same goes for links in emails and, even if they come from a known source, check with the sender if you have any doubts. Also, disable macros in Office programs and never enable them unless it is essential to do so.