Maze Ransomware Attacks US IT Firm
April 20, 2020
IT managed services firm Cognizant suffered a ransomware attack purportedly conducted by threat actors behind Maze ransomware, according to a report by BleepingComputer.The company has emailed their clients about the attack. The email advisory included a preliminary list of indicators of compromise (IoCs) identified through its investigation, which customers can refer to for system monitoring and securing. The list of IoCs include IP addresses and file hashes, which have been linked to previous Maze attacks.
Besides encrypting data, Maze ransomware operators are also notorious for releasing stolen data to the public. The ransomware also employs various methods to infect victims, including spam campaigns, fake cryptocurrency sites, and exploit kits.
Cognizant is a multinational company based in the U.S. that provides services to other companies, including those that fall under IT, digital, operations, and consulting.
Defense against ransomware
Ransomware can potentially affect not just the enterprise itself, but their customers as well. With an attack against a company that offers IT services, the importance of securing the software supply chain is highlighted.
[Related: A new playground for cybercrime: Why supply chain security must cover software development]
Below are some best practices users can perform to mitigate risks associated with ransomware:
- Back up files using the 3-2-1 rule. This precautionary measure avoids data loss in case of a ransomware attack. It involves creating three backups in two different formats and storing one copy offsite.
- Be vigilant against socially-engineered emails. This reduces the chances of infection, as many ransomware types are propagated as spam attachments.
- Patch and update applications and programs. This ensures that vulnerabilities which can be used as entry points for ransomware can be fixed as soon as possible.
- Enable firewalls and intrusion prevention. This blocks malicious network activities, which may have been caused by ransomware.
- Deploy application control and behavior monitoring. This detects suspicious activities and prevents malicious programs such as ransomware from making unauthorized changes in the system.
- Utilize sandbox analysis. This enables monitoring minus the risk of compromise, as malicious files can be executed in an isolated environment.
As added protection against ransomware, the following Trend Micro Solutions are recommended:
- Trend Micro XDR for Users - Applies expert analytics to data collected from Trend Micro solutions, enabling faster detection and annihilation of attacks.
- Trend Micro Apex One™ - Offers automated threat detection, response, and investigation.
- Trend Micro™ Deep Discovery™ Email Inspector - Analyzes patterns and uses reputation analysis to detect the latest ransomware variants.
- Trend Micro™ InterScan™ Web Security - Blocks access to malicious URLs that propagate ransomware.
Indicators of Compromise
IPS Rules
- 1007596 - Identified Suspicious File Extension Rename Activity Over Network Share
- 1007598 - Identified Suspicious Rename Activity Over Network Share
Malicious networks
- hxxp://92.63.8.47
- hxxp://92.63.32.2
- hxxp://92.63.37.100
- hxxp://92.63.194.20
- hxxp://92.63.17.245
- hxxp://92.63.32.55
- hxxp://92.63.11.151
- hxxp://92.63.194.3
- hxxp://92.63.15.8
- hxxp://92.63.29.137
- hxxp://92.63.32.57
- hxxp://92.63.15.56
- hxxp://92.63.32.52
- hxxp://92.63.15.6
Email address
filedecryptor@nuke[.]africa
| SHA-256 | Trend Micro Pattern Detection |
| 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e | Ransom.Win32.MAZE.THKBIAI |
| 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b | Ransom.Win32.MAZE.THKBIAI |
| 1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78 |
Ransom.Win32.MAZE.AC |
| 153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57 | Ransom.Win32.MAZE.THKBIAI |
| 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9 | Ransom.Win32.MAZE.THKBIAI |
| 30b72e83d66cbe9e724c8e2b21179aecd4bcf68b2ec7895616807df380afab54 | Ransom.Win32.MAZE.THKBIAI |
| 33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502 | Ransom_Maze.R002C0DC720 |
| 4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d | Ransom.Win32.MAZE.THKBIAI |
| 4218214f32f946a02b7a7bebe3059af3dd87bcd130c0469aeb21b58299e2ef9a | Ransom.Win32.MAZE.AC |
| 5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82 | Ransom.Win32.MAZE.THKBIAI |
| 58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806 | Ransom.Win32.MAZE.THKBIAI |
| 5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353 | Ransom.Win32.MAZE.THJBBAI |
| 6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13 | Ransom_Instructions.R002C0PCK20 |
| 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af | Ransom.Win32.MAZE.THJBBAI |
| 822a264191230f753546407a823c6993e1a83a83a75fa36071a874318893afb8 | Ransom.Win32.MAZE.THKBIAI |
| 83f8ce81f71d6f0b1ddc6b4f3add7a5deef8367a29f59b564c9539d6653d1279 | Ransom_Maze.R002C0DCK20 |
| 877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1 | Ransom.Win32.MAZE.SMDA |
| 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1 | Ransom.Win32.MAZE.THKBIAI |
| 9751ae55b105ad8ffe6fc5dc7aea60ad723b6df67a959aa2ea6f4fa640d20a71 | Ransom.Win32.MAZE.AC |
| 9845f553ae868cd3f8d8c3f8684d18f226de005ee6b52ad88b353228b788cf73 | Ransom.Win32.MAZE.AD |
| 9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1 | Ransom.Win32.MAZE.G |
| 9be70b7fe15cd64aed5b1adc88c2d5270bce534d167c4a42d143ae0059c3da1c | Ransom.Win32.MAZE.C |
| b30bb0f35a904f67d3ac0082c59770836cc415dc5b7225be04e8d7c79bde73be | Ransom.Win32.MAZE.THKBIAI |
| c040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc | Ransom_Mazedec.R002C0DDE20 |
| c11b964916457579a268a36e825857866680baf1830cd6e2d26d4e1e24dec91b | Trojan.Win32.SMOKELOAD.SMD2.hp |
| c84b2c7ec20dd835ece13d5ae42b30e02a9e67cc13c831ae81d85b49518387b9 | Ransom.Win32.MAZE.SMDA |
| e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684 | Ransom.Win32.MAZE.H |
| ea19736c8e89e871974aabdc0d52ad0f0948159d4cf41d2889f49448cbe5e705 | Ransom.Win32.MAZE.AC |
| ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2 | Ransom.Win32.MAZE.SMDA |
| F491fb72f106e879021b0bb1149c4678fb380c255d2ef11ac4e0897378793f49 | Ransom.Win32.MAZE.AC |
HIDE
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
Posted in Cybercrime & Digital Threats, Ransomware
Recent Posts
- Caught in the Crossfire: Defending Devices From Battling Botnets
- Infrastructure as Code: Security Risks and How to Avoid Them
- Russian Group Cosmic Lynx Launches Over 200 BEC Campaigns
- Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted
- Patch Now: F5 Vulnerability with CVSS 10 Severity Score
Caught in the Crossfire: Defending Devices From Battling Botnets 
Infrastructure as Code: Security Risks and How to Avoid Them 
Know the Symptoms: Protect Your Devices While Working From Home 
Alexa and Google Home Devices can be Abused to Phish and Eavesdrop on Users, Research Finds