Maze Ransomware Attacks US IT Firm

IT managed services firm Cognizant suffered a ransomware attack purportedly conducted by threat actors behind Maze ransomware, according to a report by BleepingComputer.

The company has emailed their clients about the attack. The email advisory included a preliminary list of indicators of compromise (IoCs) identified through its investigation,  which customers can refer to for system monitoring and securing. The list of IoCs include IP addresses and file hashes, which have been linked to previous Maze attacks.

Besides encrypting data, Maze ransomware operators are also notorious for releasing stolen data to the public. The ransomware also employs various methods to infect victims, including spam campaigns, fake cryptocurrency sites, and exploit kits.

Cognizant is a multinational company based in the U.S. that provides services to other companies, including those that fall under IT, digital, operations, and consulting.
 

Defense against ransomware


Ransomware can potentially affect not just the enterprise itself, but their customers as well. With an attack against a company that offers IT services, the importance of securing the software supply chain is highlighted.

Below are some best practices users can perform to mitigate risks associated with ransomware:
  • Back up files using the 3-2-1 rule. This precautionary measure avoids data loss in case of a ransomware attack. It involves creating three backups in two different formats and storing one copy offsite.
  • Be vigilant against socially-engineered emails. This reduces the chances of infection, as many ransomware types are propagated as spam attachments.
  • Patch and update applications and programs. This ensures that vulnerabilities which can be used as entry points for ransomware can be fixed as soon as possible.
  • Enable firewalls and intrusion prevention. This blocks malicious network activities, which may have been caused by ransomware.
  • Deploy application control and behavior monitoring. This detects suspicious activities and prevents malicious programs such as ransomware from making unauthorized changes in the system.
  • Utilize sandbox analysis. This enables monitoring minus the risk of compromise, as malicious files can be executed in an isolated environment.
As added protection against ransomware, the following Trend Micro Solutions are recommended:


Indicators of Compromise

IPS Rules

  • 1007596 - Identified Suspicious File Extension Rename Activity Over Network Share
  • 1007598 - Identified Suspicious Rename Activity Over Network Share

Malicious networks

  • hxxp://92.63.8.47
  • hxxp://92.63.32.2
  • hxxp://92.63.37.100
  • hxxp://92.63.194.20
  • hxxp://92.63.17.245
  • hxxp://92.63.32.55
  • hxxp://92.63.11.151
  • hxxp://92.63.194.3
  • hxxp://92.63.15.8
  • hxxp://92.63.29.137
  • hxxp://92.63.32.57
  • hxxp://92.63.15.56
  • hxxp://92.63.32.52
  • hxxp://92.63.15.6


Email address

filedecryptor@nuke[.]africa


SHA-256 Trend Micro Pattern Detection
04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e Ransom.Win32.MAZE.THKBIAI
067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b Ransom.Win32.MAZE.THKBIAI
1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78
Ransom.Win32.MAZE.AC
153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57 Ransom.Win32.MAZE.THKBIAI
195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9 Ransom.Win32.MAZE.THKBIAI
30b72e83d66cbe9e724c8e2b21179aecd4bcf68b2ec7895616807df380afab54 Ransom.Win32.MAZE.THKBIAI
33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502 Ransom_Maze.R002C0DC720
4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d Ransom.Win32.MAZE.THKBIAI
4218214f32f946a02b7a7bebe3059af3dd87bcd130c0469aeb21b58299e2ef9a Ransom.Win32.MAZE.AC
5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82 Ransom.Win32.MAZE.THKBIAI
58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806 Ransom.Win32.MAZE.THKBIAI
5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353 Ransom.Win32.MAZE.THJBBAI
6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13 Ransom_Instructions.R002C0PCK20
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af Ransom.Win32.MAZE.THJBBAI
822a264191230f753546407a823c6993e1a83a83a75fa36071a874318893afb8 Ransom.Win32.MAZE.THKBIAI
83f8ce81f71d6f0b1ddc6b4f3add7a5deef8367a29f59b564c9539d6653d1279 Ransom_Maze.R002C0DCK20
877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1 Ransom.Win32.MAZE.SMDA
91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1 Ransom.Win32.MAZE.THKBIAI
9751ae55b105ad8ffe6fc5dc7aea60ad723b6df67a959aa2ea6f4fa640d20a71 Ransom.Win32.MAZE.AC
9845f553ae868cd3f8d8c3f8684d18f226de005ee6b52ad88b353228b788cf73 Ransom.Win32.MAZE.AD
9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1 Ransom.Win32.MAZE.G
9be70b7fe15cd64aed5b1adc88c2d5270bce534d167c4a42d143ae0059c3da1c Ransom.Win32.MAZE.C
b30bb0f35a904f67d3ac0082c59770836cc415dc5b7225be04e8d7c79bde73be Ransom.Win32.MAZE.THKBIAI
c040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc Ransom_Mazedec.R002C0DDE20
c11b964916457579a268a36e825857866680baf1830cd6e2d26d4e1e24dec91b Trojan.Win32.SMOKELOAD.SMD2.hp
c84b2c7ec20dd835ece13d5ae42b30e02a9e67cc13c831ae81d85b49518387b9 Ransom.Win32.MAZE.SMDA
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684 Ransom.Win32.MAZE.H
ea19736c8e89e871974aabdc0d52ad0f0948159d4cf41d2889f49448cbe5e705 Ransom.Win32.MAZE.AC
ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2 Ransom.Win32.MAZE.SMDA
F491fb72f106e879021b0bb1149c4678fb380c255d2ef11ac4e0897378793f49 Ransom.Win32.MAZE.AC
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.