IT & cyber security company with 300k employees hacked & encrypted with ransomware

No one is safe from a cyberattack, not even cybersecurity companies. Cognizant, a major IT security services company with nearly 300,000 employees worldwide has suffered a cyberattack, allegedly perpetrated by threat actors behind the dangerous maze ransomware variant. 

Cognizant works with thousands of organizations worldwide, remotely managing services related to the computer security of its customers, including software updates, security patches, support and queries.

According to the IT security services firm, at the end of last week he began sending emails to his clients, informing them about the attack and including a preliminary list of engagement indicators (data confirming the attack). Cognizant informed its customers that they could use this information to monitor their systems on their own, at least until this incident is resolved.

Among the compromise flags detected by Cognizant were multiple server IP addresses and “hashed” files for the kepstl32.dll, memes.tmp, and maze.dll files; apparently, these IP addresses and files were used in attacks prior to this incident. No further details on the incident have been revealed so far.

An IT security services firm claims to have contacted Maze ransomware operators, who have denied their involvement in this incident. On previous occasions, the operators of this ransomware have refused to share information about its recent and previous victims, at least until the rescue negotiations are finalized, so experts believe it is likely that threat actors will not be willing to acknowledge their involvement in the attack until a payment is made.   

Shortly after rumors of the attack appeared, the Coignizant posted a message saying, “We can confirm that the security incident related to our internal systems, and that it is causing some disruptions to the services of some of our customers, is the result of a Maze ransomware infection.”

According to the International Institute of Cyber Security (IICS), it is likely that ransomware operators have remained on the company’s networks attacked for weeks, so there is still research on how they gained access to corporate networks. So far, it has only been confirmed that the attackers obtained the administrator credentials on the network, completing the installation of the ransomware using tools like PowerShell Empire.