Cognizant Left With ‘No Good Options’ After Maze Attack: Security Expert

‘If they do pay, all they’ll get is a pinky promise from the criminals that the data won’t be used, but why would a criminal enterprise ever delete data that they may be able to monetize?’ says Brett Callow, a threat analyst at Emsisoft.

ARTICLE TITLE HERE

With the insidious Maze ransomware, victims can no longer hit “reset” on their backup and recovery systems and ignore the criminal’s demand for cash because the virus exports the victim’s data to the attacker, giving cybercriminals a great deal of leverage, security analysts told CRN.

“Ransomware attacks used to be about encrypting the victim’s data,” said Brett Callow, a threat analyst with Emsisoft, a New Zealand-based maker of anti-malware and anti-virus software. “They now steal a copy of it as well. That trend was started by Maze at the tail end of last year, but multiple other groups have now hopped on that bandwagon. If the victims do not pay, they publish the data.”

Solution provider Cognizant was hit over the weekend by Maze, which not only attacked the $16 billion company, but also some of its customers. Cognizant said its own internal security force was augmented by outside security contractors. The company said it has also contacted federal authorities. On Monday, a spokesman for Cognizant said the company had no statement beyond what the firm released on Saturday.

id
unit-1659132512259
type
Sponsored post

“It’s a very bad state of affairs for the victims,” Callow said. “A company that is attacked in this way really has no good options available to it. If they don’t pay the ransom their data will almost certainly be published. If they do pay, all they’ll get is a pinky promise from the criminals that the data won’t be used, but why would a criminal enterprise ever delete data that they may be able to monetize?”

Victims not only have to fear the exposure of sensitive internal documents to the public as well as to competitors, but fines from the government if the data that is exposed contains personally identifiable information. That exposure is significant in the case of Cognizant, which has 295,000 employees and operates in 37 countries. Cognizant works in several industries with protection requirements around data. Information in the company's network is subject to General Data Protection Regulation (GDPR), California’s Consumer Privacy Act, HIPPA, and others, according to Cognizant's 10-K filing.

Indeed, Cognizant warned investors in its most recent 10-K filing that a cyberattack could “harm our reputation and expose us to regulatory actions, client attrition, remediation expenses, disruption of our business, and claims brought by our clients or others for breaching contractual confidentiality and security provisions or data protection laws. Monetary damages imposed on us could be significant and not covered by our liability insurance.”

Previous Maze victims have indeed had data exposed, Callow said.

“Maze past victims include the city of Pensacola (Fla.), the government of Prince Edward Island, multiple law firms, a mortgage broker, accountants, multiple health care providers, and various other businesses,” Callow said. “Data was published in each of those cases.”

He said it included tax returns that were taken from a mortgage broker, health care records, and even details of a veteran’s PTSD claims, which were stolen from a law firm.

“They have always had the ability to steal data. The fact that crooks would eventually realize that they could monetize the stolen data was something of an inevitability,” Callow said. “After it was successful with Maze, multiple other groups followed their lead.”

While Maze started the trend in December last year, other ransomware campaigns including REvil, DopplPaymer, Ragnar Locker, and Nefilim have adjusted strategy to follow suit.

“It has been picking up steam ever since,” Callow said. “It places the need more on protection and prevention than simply on restoration. In the past, it was said that backups were the best protection against threats, but that’s no longer the case … they will not help in a case where data has been stolen.”

Cognizant’s core businesses are split four ways with 35 percent of its business in financial services, 28 percent in health care, 14 percent in communications and media, and 22 percent in products, which has numerous customers in retail, travel, hospitality, energy, utility, and logistics.

Cognizant – which competes with the likes of Accenture, Atos, Capgemini, and Wipro -- has not said which customers or how many were hit with Maze ransomware. A year ago, Wipro was also the victim of a ransomware attack. The company’s stock traded down 2.31 percent, at $52.56 yesterday afternoon, off $1.25.

Cognizant CEO Brian Humphries recently told investors that when it holds an earnings call on May 7, first quarter revenue is expected to come in between $4.22 billion and $4.23 billion, about 2.9 percent up, year over year.

Humphries said however there have been broad-based declines in retail, consumer goods, travel, hospitality, media and entertainment, as well as disruptions in the financial services businesses which serve those industries. He said Cognizant expects a “meaningful economic slowdown” to reduce client demand during the remainder of 2020.

Last year, the company was dinged by stories about its content moderation business with Facebook. That prompted Cognizant to exit the field entirely. It’s contract with Facebook was reportedly worth $100 million annually. In November, Cognizant laid off 6,000 employees.