Dive Brief:
- Cognizant expects to lose between $50 million and $70 million in Q2 because of the impacts of the April Maze ransomware attack, according to CFO Karen McLoughlin, during the company's Q1 2020 earnings call on May 7.
- Last week, the company said the ransomware was contained, though earnings results will reflect the damage, said CEO Brian Humphries. Cognizant partnered with cybersecurity third parties and federal agencies for response to the ransomware.
- Because the attack encrypted Cognizant's internal systems, the company was forced to take its systems offline, said Humphries. The move offline put a hold on work-from-home services, including enabling bridge domain interfaces and laptop provisioning. Prior to the attack, the company expected to "further increase" its work from home capabilities in April.
Dive Insight:
Maze has a list of notable victims, including the city of Pensacola, Florida, cable manufacturer Southwire and most recently, mailing services company Pitney Bowes, first reported by ZDNet. Cognizant's attack impacted an IT services supply chain and the company will have to deal with customer fallout.
After the company disclosed the cyberattack last month, clients were proactive in ensuring the spread stopped at Cognizant. Customers began to opt out or suspend Cognizant's "access to their networks," which directly impacted billing, said Humphries.
Cognizant was hit by the ransomware before the company shifted to remote work, according to Humphries. The company is "now substantially work from home-enabled" and working to address suspended client's concerns by the end of the month, he said.
The operators behind Maze were likely lurking in Cognizant's systems for weeks before executing their attack, according to Bleeping Computer. While Cognizant claimed to have contained the attack, Maze is a reputable malware and influential strain of ransomware, leading to other copycat strains. It's best known for stealing data and sometimes publicly publishing it online.
Maze's operators leverage tools similar to PowerShell Empire for execution, though it's not limited by one tactic. Maze is distributed by emails, containing malicious Word or Excel files, according to research from Palo Alto Networks' Unit 42.
"These operators were also able to establish a foothold within another victim’s network through insecure Remote Desktop Protocol and other remote service connections or by brute-forcing the local administrator account," according to the research.