In unrelated assaults, Maze ransomware operators have hit two different US-based companies within a week of each other.

IT service provider Conduent, which uses the latest technology to deliver payment and HR solutions to more than 500 governments and Fortune 100 companies, was attacked first. This was swiftly followed by a systems breach at a subsidiary enterprise of ST Engineering Aerospace just one week later.

Maze operators commonly target corporate networks running Windows operating systems. After systems have been breached, Maze ransomware encrypts data rendering it inaccessible for the enterprise it opens while simultaneously stealing information with the intention of holding it hostage or selling it on. If corporations resist paying out the requested ransom, they are threatened with public exposure of confidential material, backed up with proof. This evidence usually consists of partial documents containing sensitive data displayed on a Dark Web site online.

Different methods of penetration and data taken

While Maze ransomware was used against both companies, different approaches were used to infiltrate them, and different file types were stolen.

In the case of Conduent, for around eight weeks it had been using unpatched Citrix Virtual Private Networks (VPNs) rendering it exposed to a well-known weakness. Following a nine-hour long service interruption, Conduent’s Europe systems discovered Maze ransomware and responded quickly, with the breach addressed by the company’s cybersecurity protocols. Although Conduent has not named Maze explicitly as the cause of its breach, the ransomware group has exposed the company’s customer audits and other data on its dedicated Dark Web site online.

The ST Engineering Aerospace attack saw the data breach undetected for far longer. Investigation into the attack suggests that the ransomware deployed by Maze operators was embedded inside a phishing email. Once the email was opened, the ransomware was activated and the machine it had infected started encrypting data files.

Maze’s site then listed ST Engineering Aerospace’s data including government contracts with South American countries Argentina and Peru, US-based air carrier American Airlines and even government-linked organisations such as NASA. The exposed data also included financial records and project plans, making a grand sum of about 1.5 terabytes of information, released when the aerospace firm refused to pay.

Steps taken following the attacks

Cybersecurity firms advise that all companies can protect themselves by making sure they have a solid structure in place that regularly implements the most up-to- date patches to avoid vulnerabilities. Spokesperson for Conduent, Sean Collins, commented on the company breach and measures taken:

“As our investigation continues, we have on-going internal and external security forensics and anti-virus teams reviewing and monitoring our European infrastructure.”

When ST Engineering Aerospace identified the incident it took swift action, disconnecting infected systems and employing expert independent forensic advisors as part of the investigation. It also informed the necessary authorities for law enforcement.

In a recent statement following the breach, the enterprise stated it would now be employing the latest tools to fix the interruption and restore its systems. It is also making moves to ramp up the overall strength of its cybersecurity architecture to avoid future attacks.