ra2 studio - Fotolia

Maze ransomware attack will cost Cognizant at least $50m to $70m

Cognizant’s clients cut off the IT supplier’s access to their networks to contain a Maze ransomware attack – effectively putting projects on hold

A ransomware attack on IT services supplier Cognizant will cost the company between $50m and $70m over the next three months and it will incur further costs during the year as it works to fully restore its computer systems.

Cognizant, which supplies IT services to companies in the manufacturing, financial services, technology and healthcare industries, was attacked by the Maze ransomware group on 17 April, disrupting services to its customers.

The US computer services company, which has revenues of $16bn and operations in 37 countries, confirmed last week that the attack had encrypted and disabled some of its internal systems and forced it to take other systems offline.

The attack disrupted the company’s attempt to enable its staff to work from home during the coronavirus pandemic, by disrupting computer systems supporting virtual desktop infrastructure (VDI) and laptop provisioning.

Some of Cognizant’s clients opted to protect themselves from the malware by closing off Cognizant’s access to their networks, effectively putting projects on hold.

Cognizant customers include financial services companies ING and Standard Life, automotive company Mitsubishi Motors and HR services company PeopleSoft. It has not disclosed which of its clients have been affected by the attack.

CEO Brian Humphries said in an earnings call that the company’s cyber security team and executives had made hundreds of individual phone calls to its clients following the attack and had organised two client conference calls.

Cognizant supplied its customers with forensic data, known as indicators of compromise (IoCs), to enable them to identify potential hacking attacks on their networks.

The company held a third conference call with its clients last week, when it told them it had been able to contain the attack.

After taking an initial hit in the next quarter, Cognizant expects to pay further legal and consulting fees, and to incur costs for restoring services and remediating the security breach.

“We expect the vast majority of revenue and margin impact from the ransomware impact to be in the second quarter,” said Humphries last week. “However, ongoing remediation cost will ensue through subsequent quarters.”

Business continuity plan

Humphries said Cognizant had executed crisis management and business continuity plans that allowed the company to provide services for the “vast majority” of clients in March and early April.

The company had now restored its VDI and automated laptop provision, and was now “substantially work-from-home enabled”, he said.

“We’re using this experience as an opportunity to refresh and strengthen our approach to security,” he added.

This includes hardening computer security and consulting with security experts to develop Cognizant’s long-term cyber security strategy.

The Maze hacking group relies on Exploit kits, which contain software designed to attack known software vulnerabilities to penetrate company defences.

Cognizant has not disclosed how the attackers were able to access its systems.

Analysis by security company Bad Packets on 1 January 2020 identified five devices with Citrix vulnerability in Cognizant’s Trizetto healthcare solutions group in the US.

According to a security advisory notice, exploits were available that could have allowed attackers to execute arbitrary code on computer systems with the vulnerability. Cognizant had fixed the issued by 14 February.

Pitney Bowes attacked

In a separate incident, mailing and shipping services firm Pitney Bowes has confirmed that it is investigating an attack by the Maze ransomware group.

The hackers have published screenshots of the company’s file structure, which suggest that Maze has been able to access Pitney Bowes’ finance database, financial reports, and details on eBay and PayPal transactions.

Maze also claims to have gained access to files relating to the company’s customers, which include insurers Admiral and AIG, management consulting firm Alvarez & Marsal, retailers Arcadia and B&Q, and storage company Big Yellow.

Other data claimed to be in the hands of the criminals includes confidential files of a former executive of the company, files of selected Pitney Bowes employees, and staff rotas.

Read more on Hackers and cybercrime prevention

Data Center
Data Management