Cognizant Technology Solutions Corp., an IT giant with 3000 employees was recently hit by a strain of sophisticated Windows Ransomware called Maze, encrypting its systems and threatening to make its data public if they don’t pay the supposed ransom.
This particular malware is proving to be quite lethal and is making headlines every week with their new victim. It has spread quite a disarray and chaos not only in the IT sector but even in other companies and firms which deal with sensitive user data. Maze, also known as “ChaCha Ransomware”, was first discovered in May 2019 and started attacking firms by encrypting files and blackmailing them by exposing their data to the public. It attacked Andrew Agencies in October then the city of Pensacola, US Insurance Company Chubb, the leading cable manufacturer Southwire Company (America), Medical Diagnostic Laboratories (MDLabs), Manitoba Law Firm (Canada) and now Cognizant.
How is it more Different and Lethal than other Ransomware?
There have been other malware that encrypt files and demand ransom but what makes Maze more dangerous is that it encrypts the system and steal the data and export it to hackers or threaten to release it on their own website (yes, they have a website where they publish their new victim and their data) if the ransom is not paid thus it’s not just a malware attack but a fusion of ransomware attack and data breach.
So, the previous tactics like keeping backups and restoring backups and running again fail for Maze as they have your data and can use it maliciously.
How does it infect?
This ransomware has been seen to use various ways to infect computers like emails, attachments, links, exploiting passwords, and even exploit kits like Fallout and Spelevo. After infiltrating the system it uses two different ciphers (RSA+ChaCha20) to encrypt files. When the file is successfully encrypted it adds more random extensions with 6-7 charts (For Example-“.rC0syGH”, “.DL1fZE”).
How to protect from Maze Ransomware?
Though Backups don’t do much with Maze, you should still deploy secure offsite backups, running up-to-date security measures and solutions and employee training in installing strong passwords and identifying unsecure and spam email attachments and files.
Most corporate use AppData to run the program and most malware like Maze, MedusaLocker, Sage exploit this and run files from here (AppData). Instead, if we install software from program files only administrators can install/copy files and since malware won’t have the license and permission, they won’t be able to run.
Even Chrome is installed into user AppData folder and when a user logs via AD into a computer, chrome gets installed in user AppData folder. Similarly, Microsoft Teams installs clients in AppData Local, instead, they should be installed from program files as then it would require admin Or user permissions and otherwise both chrome and Microsoft makes the system susceptible to malware.
Using software like “Ransomware Defender”, where AppData, User Profiles, and this kind of folders are blocked and blacklisted and provides for strong protection against ransomware like Maze.
Windows users can install ‘Ransomware Defender’ - Download from here:
https://www.cysecurity.co/ransom-defender-for-windows/