Cyber Incident Victim: Cognizant Technology Solutions
Date:
Apr 2020
Location:
United States of America
Summary
A major IT services provider experienced a significant cyber attack involving Maze Ransomware, causing service disruptions for clients. The attackers compromised internal systems, prompting the company to distribute indicators of compromise including malicious IP addresses and file hashes associated with Maze payloads. The incident required containment efforts involving internal security teams, external cyber defense firms, and law enforcement coordination. Maze operators typically exfiltrate unencrypted data prior to encryption, leveraging stolen information to pressure victims into ransom payments through threats of public data leaks. While the ransomware group initially denied responsibility, the victim organization confirmed Maze's involvement, highlighting the attack's dual impact as both operational disruption and potential data breach. The intrusion likely followed an extended network presence enabling lateral movement and credential theft before ransomware deployment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 18, 2020, IT services firm Cognizant experienced a cyber attack attributed to the Maze Ransomware operators, disrupting services for some clients. The company, which manages IT infrastructure for global clients through endpoint agents installed on customer workstations, began notifying clients of the breach on the same day, providing a preliminary list of indicators of compromise (IOCs) to aid detection and mitigation efforts. These IOCs included IP addresses associated with known Maze infrastructure and file hashes for malicious components such as kepstl32.dll, memes.tmp, and maze.dll, alongside an unnamed file with an unidentified hash. Security researcher Vitali Kremez released a Yara rule to detect the Maze payload, aligning with the observed attack patterns. Maze operators initially denied responsibility for the incident, though their historical behavior of delaying public claims during active negotiations suggested tactical silence. Cognizant later confirmed the Maze ransomware’s involvement in a public statement, acknowledging internal system compromises and service disruptions while emphasizing collaboration with cybersecurity firms and law enforcement to contain the incident.
The attack exhibited characteristics consistent with Maze’s operational tactics, including prolonged network infiltration prior to ransomware deployment. Attackers typically conduct lateral movement, credential theft, and data exfiltration over weeks or months before deploying ransomware via tools like PowerShell Empire. Maze operators are known to exfiltrate unencrypted files before encryption, leveraging stolen data to pressure victims into paying ransoms under threat of public release on their dedicated leak site. Cognizant treated the incident as a data breach due to this established modus operandi, despite Maze’s initial denial. The company’s response included internal security team mobilization, engagement of external cyber defense experts, client communications with defensive IOCs, and coordination with law enforcement authorities. Service disruptions impacted an unspecified subset of clients reliant on Cognizant’s remote management services for patches, updates, and support. The incident remained under active investigation at the time of reporting, with no confirmation of data leaks or ransom negotiations disclosed publicly.