Conduent Hit By Maze Ransomware, Documents Stolen: Security Analysts

Business process outsourcing firm Conduent said its European operations were hit with ransomware last week, which two security companies said has led to the leak of internal company documents on to the web.

Ransomware busters Emsisoft, as well as the threat intelligence firm Bad Packets, said Conduent appears to have been struck by Maze ransomware. Maze is the same brand of ransomware that hit Cognizant in April during in a high profile attack that locked some employees out of the company’s email systems, just as Cognizant was moving employees to remote work.

In the Conduent attack, Maze hackers appear to have published two zip files which New Zealand-based Emsisoft security analyst Brett Callow said contain documents related to the company’s work in Germany. The files were released Wednesday on a site that publicizes Maze attacks.

“I see a file for Vodafone Deutschland,” he told CRN. “These groups typically start by posting the older and less sensitive data served if they were to post the Crown Jewels so to speak, the company would have less incentive to pay for the remaining data being published.”

Conduent released a statement today confirming the attack happened on May 29. The statement said it lasted about nine hours before its systems were back online.

“Conduent's European operations experienced a service interruption on Friday, May 29, 2020, the statement reads. “Our system identified ransomware, which was then addressed by our cybersecurity protocols. This interruption began at 12.45 AM CET on May 29th with systems mostly back in production again by 10.00 AM CET that morning, and all systems have since then been restored. This resulted in a partial interruption to the services that we provide to some clients. As our investigation continues, we have on-going internal and external security forensics and anti-virus teams reviewing and monitoring our European infrastructure.”

[RELATED: Cognizant Breach: 10 Things To Know About Maze Ransomware Attacks]

Conduent did not respond to a question about whether any documents were taken, or whether any data was stolen from its governmental customers. Conduent runs automated toll systems in several states, an operation that has come under fire from lawmakers.

Conduent was created after Xerox spun off its business process outsourcing business in 2016. It started trading in December 2016 at $14.60 a share. Its stock price reached a high of $23.27 in September 2018. Conduent shares closed at $2.66 yesterday.

Cybersecurity research firm Bad Packet posted a tweet yesterday that suggested one of Conduent’s Citrix servers was vulnerable to a specific threat for eight weeks between December 17 and Feb. 14. The company also tweeted screenshots that confirm what Callow stated were document’s related to Conduent’s business with Vodafone. The document appears to be an invoice and is titled “Rechnung,” which is the German word for “bill.” It is dated March 2018.

Conduent did not respond to a CRN email that asked the company about Bad Packet’s research.

Cognizant’s attack is expected to hit the company’s bottom line, as mitigation costs are likely to spiral to between $50 and $70 million, the company told investors during an earnings call in early May. The company also may spend money on legal costs, consultants and other costs related to its ongoing investigation into the attack.

“While we have restored the majority of our services and we are moving quickly to complete the investigation, it is likely that costs related to the ransomware attack will continue to negatively impact our financial results beyond Q2,” said Cognizant CFO Karen McLoughlin.

The attack on Cognizant came a year after massive solution provider Wipro was hit by cybercriminals who seeded ransomware through a number of its customers.