Maze Ransomware attack during Covid19 outbreak

In a recent attack, an information technology services provider Cognizant admitted that it was a victim of a ransomware attack. In an official statement, the IT giant stated that it was hit by Maze ransomware that caused service disruptions for some of its clients. It has also notified its clients and users about the attack.

What is Maze? How Maze is different from other ransomware?

Maze, also known as ChaCha, is ransomware that was first observed in May 2019. At first, Maze was a rather unremarkable instance of ransomware that was involved in extortion campaigns. Beginning around October of 2019, Maze became more aggressive and more public.

When comparing Maze to most of the other ransomware out there, the clear difference is its ability to both exfiltrate the encrypted data and extort the victim. Maze’s functionality far exceeds this traditional ransomware approach by using a 1–2–3 combination of:

  1. Encrypt
  2. Exfiltrate
  3. Extort

Though Maze ransomware organization has denied its involvement in the attack, security experts don’t seem convinced. “The ransomware has still been categorized as Maze because the listed IOCs included IP addresses of servers and file hashes for the kepstl32.dll, memes.tmp, and maze.dll files. These are known to be used in previous attacks by the Maze ransomware

How does Maze operate

McAfee Labs’ research on Maze shows that the ransomware is mainly spread through exploit kits such as Fallout and Spelevo; desktop connections with weak passwords; phishing emails impersonating government agencies. For instance, in the October cyberattack on Italian organizations, emails were sent with a Word attachment that used macros to run the malware in the system.

According to McAfee, this malware is hard programmed to prevent reverse engineering of its codes, which makes static analysis by security researchers more difficult. Reverse engineering is a common practice used in cybersecurity to understand how a given program, like the malware, in this case, works.

What can organizations do to protect themselves?


  • Back up files using the 3–2–1 rule. This precautionary measure avoids data loss in case of a ransomware attack. It involves creating three backups in two different formats and storing one copy offsite
  • Regularly patch and update application/ system against newly discovered vulnerabilities
  • Install APT (Advanced Persistent Threats) tool in infra. This enables monitoring minus the risk of compromise, as malicious files can be executed in an isolated environment.
  • Subscribe free or paid threat intelligence services to get alert for recent attacks and IOCs
  • Users are advised not to click on links received via emails. This is the primary method many ransomware operators are dependent on for infecting devices
  • Never open attachment from unknown sender email addresses
  • Last but not least educate your employees about phishing attacks by sending awareness emails.