Search This Blog

Showing posts with label ChaCha ransomware. Show all posts

Conduent's European Operations Hit by Maze Ransomware, Data Stolen


Conduent, a business process outsourcing organization confirms that their European operations were crippled by a ransomware attack on Friday, in an immediate response to the attack the IT services giant was able to restore most of the affected systems within eight hours of the incident.

The security software company, Emsisoft and cybersecurity research and threat intelligence firm Bad Packets, expressed a large probability of Conduent been attacked by Maze ransomware.

What is a Maze ransomware attack?

The maze is a sophisticated strain of Windows ransomware that not only encrypts individual systems but also proliferate across the whole network of computers infecting each one of it. Typically, Maze attacks organizations around the globe and demand a ransom in cryptocurrency for a safe recovery of the data encrypted by the attackers.

It's the same variant of ransomware that attacked IT services company, Cognizant on April 18 – although the New-Jersey headquartered company chose not to share many details about the security incident, it said that its services were disrupted and internal security teams were taking active measures to contain the impact. Reportedly, some of the company's employees were locked out of the mail systems as a result of the attack.

In Conduent's case, the threat actors have posted online two zip files that appear to contain data regarding the company's services in Germany, as per the evaluations made by Emsisoft. The documents were published on a website that leaks Maze ransomware attacks.

The company's operations witnessed a disruption around 12:45 AM CET on Friday, May 29th. It was by 10.00 AM CET that morning – the systems were restored and functional again. Meanwhile, the ransomware was identified by the systems and was later addressed by their cybersecurity protocols.

While commenting on the matter, Cognizant CFO Karen McLoughlin said, "While we have restored the majority of our services and we are moving quickly to complete the investigation, it is likely that costs related to the ransomware attack will continue to negatively impact our financial results beyond Q2."

As per the statements released by Conduent to confirm the attack that happened last week, “Conduent's European operations experienced a service interruption on Friday, May 29, 2020."

"Our system identified ransomware, which was then addressed by our cybersecurity protocols. This interruption began at 12.45 AM CET on May 29th with systems mostly back in production again by 10.00 AM CET that morning, and all systems have since then been restored. This resulted in a partial interruption to the services that we provide to some clients. As our investigation continues, we have on-going internal and external security forensics and anti-virus teams reviewing and monitoring our European infrastructure"

However, Conduent did not answer the questions regarding the loss of the data and the researches carried out by two cybersecurity companies indicating the same.

Maze Ransomware and its Various Campaigns Continue to Threaten the Cyber World


Ever since this year began, the Maze ransomware has been hitting headlines. Recently researchers discovered more samples of Maze in numerous industries making it one of the major threats for the cyber-world.

Another form of the "ChaCha" ransomware, Maze surfaced in mid-2019 and has been wreaking havoc ever since, across continents and any organization it could get it hands-on.

Per sources, Maze is most usually dispensed by way of emails loaded with malicious Exel and Word attachments. But that’s not the only method of distribution.

According to reports, cyber-criminals also use “exploit kits” by the name of “Spelevo”. Sources mention that in previous cases it has been used to exploit Flash Player vulnerabilities, CVE-2018-15982 and CVE-2018-4878. Other exploits that Maze has abused include CVE-2018-8174 (Internet Explorer) and CVE-2018-1150 (Pulse VPN).

Maze ransomware initially tries to get a strong idea of the target device’s internal surroundings and begins to create a place for itself. Once that’s done it tries to access user privileges to carry lateral movements and kick start the file encryption throughout drives. But, before the encryption, files are exfiltrated so as to be used for future compulsion in any way possible.

If the security system of a device isn’t laden with necessary protective gauges it could possibly crash completely under the pressure of Maze ransomware. The infection could put sensitive information at large and incapacitate operations almost killing the company’s finances.

Per sources, Maze ransomware has shown its hold across industries like construction, education, energy, finance, government, healthcare, hospitality, law, life sciences, media and communications, pharma, technology, and telecommunications. McAfee, in March, made available a detailed report about the Maze ransomware.

According to a report, there’s an “Anti-Ransomware Protection module” which hunts ransomware related encryption-based activities. It allows users to keep track of the activities.

Per sources, lately, Maze ransomware was spotted compromising several IT service providers. It also set up a footing in another victim device’s network via insecure Remote Desktop Protocol or by using brute-force on the account of the local administrator.
Cloud backups too aren’t safe from the Maze ransomware because they are widely tracked on the vulnerable networks. With the login credentials, all backed-up data could be sent to the threat-actors via a server under their control.

The solution for any such occurrences is as repetitive as ever; stronger security mechanisms, better passwords especially remote systems with remote access possibilities and of course, heftier protection measures.