COVID-19 Ransomware Attack May Cost IT Giant $70 Million
The incident is further evidence that hackers are ramping up cyberattacks during COVID-19, attacks are getting more costly, and no company is totally immune.
Here’s what we know about the incident and what it means for other businesses facing heightened vulnerabilities during the coronavirus outbreak.
The dangers pre-COVID
Over the last few months, we’ve written about how companies are especially susceptible to attack right now, due to massive operational shifts.
But even before COVID-19, we were in the middle of a huge resurgence of ransomware.
In October 2019, the FBI issued a stark warning to businesses that attacks were becoming more targeted and costly. That same month, Datto released its 2019 ransomware report, revealing that 4 out of 5 IT providers were facing attacks on their own companies, in addition to their clients’.
The threat was already prevalent, and it only got worse once the coronavirus crisis spread.
Cognizant goes down; rumors ignite
Cognizant, which provides enterprise IT services around the globe, released a statement on April 18 that it was a victim of a ransomware attack.
But trouble had already been brewing before that.
ZDNet reported that “several disgruntled [Cognizant] customers had reached out” a day earlier about issues they were experiencing. That’s when the rumor mill began churning.
As Cognizant began cutting off access to its services, some users alleged that the company was hiding a “major security breach under the guise of technical issues.”
A PR nightmare from the start
Aside from the actual operational chaos happening behind the scenes, the incident was already becoming a full-blown public relations crisis.
Once customers suspected ransomware, they feared their servers may be infected as well.
Customers were “thrown in full paranoia mode after Cognizant sent an internal alert to all customers, urging clients to block traffic for a list of IP addresses,” ZDNet reported.
Additionally, as Cognizant began holding meetings with some clients, they weren’t disclosing any details of what actually happened. This ignited the rumor mill as customers began fearing their user data had been stolen.
What really happened
Cognizant later confirmed it had been hit by Maze ransomware. And while many details are still unclear, the company reassured clients that it only affected its own internal network, not customer systems.
Once the infection become apparent, Cognizant moved quickly to take down all impacted systems – a standard protocol during a ransomware attack.
Some customer systems were taken down as a precaution, including its billing system. In a brief statement, the company said it had provided clients “with Indicators of Compromise (IOCs),” which included the list of IP addresses that had initially set off the alarm among some customers.
Deciphering the Maze
Some customers were able to link those IP addresses with the Maze ransomware group, as the same IP addresses had been used in previous attacks.
Maze is known for its 2-pronged attacks: data theft and ransomware encryption. Typically, its infections sit undiscovered for weeks, quietly collecting data from its victims. They grab whatever they can before locking the files on the victims’ systems.
This gives the attackers greater leverage for requesting a higher ransom. In essence, they use extortion, threatening to release their victims’ data publicly unless the ransom is paid.
The infection was likely on the network for weeks
When customers linked the IP addresses to Maze, that’s when the panic set in.
“If the Maze operators conducted this attack, they were likely present in Cognizant’s network for weeks, if not longer,” wrote BleepingComputer. In most attacks, Maze’s malware spreads laterally across a network. After it gains administrator credentials, it starts the encryption.
Before Cognizant confirmed that only its internal systems were affected, customers had to assume the worst: that their own data (and that of their customers) had been compromised.
Fortunately, it does not appear that the attack was able to move beyond Cognizant’s internal network. But the company revealed some telling details about the attack during its quarterly earnings call …
Remote workers disrupted
Cognizant’s CEO Brian Humphries revealed on the call that the impact of the attack was limited to two areas:
- The company’s select system for supporting employees’ work-from-home setups
- The provisioning of laptops that the company was using to support its remote workers during the COVID-19 pandemic
From a disaster-recovery perspective, this is striking. It means the attack took advantage of a vulnerability that may have been created in the chaotic operational shuffle that coronavirus caused as workers began working remotely.
So, can we blame COVID-19?
In some ways, we probably can.
Over the last few weeks, we’ve written extensively about the heightened threats of cyberattack, data loss and other vulnerabilities during COVID-19. Businesses in nearly every industry have undergone a massive transition during the pandemic. As companies rapidly shifted to remote work, they put added stress on IT systems and users – a perfect recipe for exploitation by hackers.
While we don’t know exactly how Cognizant’s systems became infected, it’s telling the attack found a hole in the remote-work systems – a vulnerability that may not have been there just a few months earlier.
How Maze usually operates
To be clear, Maze is known for taking advantage of unsecure remote desktop connections.
More specifically, Maze has exploited weak passwords in remote desktop connections or used email spoofing to fool users into visiting a malicious site, entering their credentials or downloading an infected file. The group has also been known to use exploit kits, which exploit system vulnerabilities.
Considering that the Cognizant attack affected “the provisioning of laptops” for work-from-home employees, we can infer one or more of the following:
- A laptop may not have been updated with the latest O/S patches
- A user may have been using a weak password
- Users may have been duped by a spoofing/phishing email
Any of these scenarios point to a lapse in cybersecurity, which was probably created (or worsened) by the pandemic.
A $70M vulnerability
Despite the fact that only some internal systems were affected, the attack was incredibly costly.
The company did not appear to pay the ransom and it fully recovered within a few weeks. But the impact of the disruption was still extensive, and the aftermath will likely continue to be felt for months.
During the earnings call, Cognizant’s CFO Karen McLoughlin was upfront about the projected expenses, saying she anticipates, “the revenue and corresponding margin impact to be in the range of $50 million to $70 million for the quarter.”
And, as ZDNet rightly points out, those expenses don’t even include the “additional and unforeseen legal, consulting, and other costs associated with the investigation, service restoration, and remediation of the breach.”
More COVID-19 ransomware attacks occurring by the day
Cognizant’s $70M loss puts it in line with last year’s attack on aluminum producer Norsk Hydro, which incurred its own $70M in expenses.
But these incidents are only the tip of the iceberg.
- Last week, package-delivery giant Pitney Bowes suffered its second ransomware attack in 7 months, and Maze appeared to be the culprit.
- In April, Maze also struck healthcare giant Magellan Health. After an internal investigation, the company announced just last week that the attack had compromised some employees’ personally identifiable information, including names, contact information, employee ID numbers, tax form data and social security numbers.
- Two separate attacks on Texas government organizations occurred within a 2-week span this month. Attackers hit the Texas court system and Department of Transportation.
Hackers have also been targeting IT infrastructure supporting hospitals and healthcare facilities, in an attempt to exploit the panic surrounding the pandemic (and boosting their ransom payments).
3 critical ways to protect your business
There are numerous steps you can take to reduce your risk of a successful ransomware attack. But the following 3 measures are arguably the most critical right now:
- Patch your systems: Update all software, operating systems and firmware, especially if you’re suddenly bringing older devices back online to support remote workers.
- Back up your data: Deploy a robust backup & disaster recovery solution that can rapidly restore data after an attack. Replicate backups to multiple locations (i.e. on-premise and in cloud) for greater protection.
- Retrain employees on cybersecurity: Educate staff on the risks of a cyberattack, including ransomware, phishing emails and weak passwords. Illustrate safe practices for web and email. This is especially important if users are using new or unfamiliar systems in response to the pandemic.
Keep in mind: restoring backups is usually the only way to fully recover from ransomware, but it won’t help you if the attack involved data theft too. This is why it’s so important to prevent hackers from gaining entry in the first place.
For more ways to prevent an attack, view our comprehensive guide to ransomware protection.
Need help? We’re here for you
To see how your organization can effectively combat ransomware with today’s best BC/DR solutions, request a free demo or contact our business continuity experts at Invenio IT. Call (646) 395-1170 or email us at success@invenioIT.com.