Maze operators are back, and apparently with a big bang by targeting one of the largest IT services company in the world, Cognizant.
Maze ransomware operators are known to conduct their attack below the surface and have a reputation of stealing the data first before locking their target systems. They fully understand their victim’s reputational risks, and hence their approach is “steal, lock and inform”. On April 17, the group made a press release as well.
The ransomware group has funded themselves quite well recently, and this is mainly due to:
Successful ransomware attacks due to growth of their affiliates
- Organizations increasingly paying ransomware extortions
- Certain cyber insurance companies negotiate with the ransomware operators and make payments
- Maze typically list their victims on their website, and the group hasn’t mentioned them on their website. This could be due to:
They understand the brand value of this organization and most likely publish them should their negotiations fail. Given the Maze name has been spread all over by Cognizant, it’s is expected the group will confirm it in the next 24–48 hours
It should be noted that when we reached out through our network, they haven’t confirmed it themselves it yet. But this could be due to the ongoing negotiations.
If it’s Maze ransomware, Cognizant should immediately focus on the damage, including data leaks. The group approach is highlighted above. Their past attacks can be viewed here. Some of the indicators of compromise to search for are:
- mazedecrypt.top
- 91.218.114.11
- 91.218.114.25
- 91.218.114.26
- 91.218.114.31
- 91.218.114.32
- 91.218.114.37
- 91.218.114.38
- 91.218.114.4
- 91.218.114.77
- 91.218.114.79
- An organization can also consider deploying a Yara Rule search as well for “DECRYPT-FILES.txt”
Cyble is continually monitoring any further deepweb activity to confirm new data leakage. We regularly inform our retail consumers through our service AmIbreached.com. In the last 24 hours, we have seen a movement in the darkweb, especially with data breaches. We have identified new, unreported data breaches on the following website (unrelated to Maze, and acted by a Russian-hacking group):
- arobs.com — Romanian IT solution provider of ready-to-use systems and tailor-made software based on the latest technologies
- bookchor.com — Online bookstore for buying used books, second-hand books, old books, textbooks in India
- c-k.com — Second largest independent advertising creative agency in the U.S. known for integrated campaigns for clients such as Corona, Porsche, Hilton and Panera Bread
- cbgmadison.com — Informational network of commercial real estate professionals in the greater Madison, Wisconsin area
- devex.com — Media platform for the global development community.
- eidicom.com — Spanish multinational specialized in electronic invoicing and EDI
We will be likely to be publishing another 100+ unreported data breaches tomorrow on our medium channel.
About Cyble:
Cyble Inc.’s mission is to provide organizations with a real-time view of their supply chain cyber threats and risks. Their SaaS-based solution powered by machine learning and human analysis provides organizations’ insights to cyber threats introduced by suppliers and enables them to respond to them faster and more efficiently.
Cyble strives to be a reliable partner/facilitator to its clients allowing them with unprecedented security scoring of suppliers through cyber intelligence sourced from open and closed channels such as OSINT, the dark web and deep web monitoring and passive scanning of internet presence. Furthermore, the intelligence clubbed with machine learning capabilities fused with human analysis also allows clients to gain real-time cyber threat intel and help build better and stronger resilience to cyber breaches and hacks. Due to the nature of the collected data, the company also offer threat intelligence capabilities out-of-box to their subscribers.