{
	"id": "aed8de5a-e039-41a4-a0d4-19ae437cc77f",
	"created_at": "2026-04-10T03:21:04.4852Z",
	"updated_at": "2026-04-10T03:22:19.243093Z",
	"deleted_at": null,
	"sha1_hash": "156a1591473f0bdb48d2a101e9145ecf98f2b9f8",
	"title": "Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 182329,
	"plain_text": "Applying the Diamond Model to Cognizant (MSP) vs. Maze\r\nRansomware\r\nBy Killbit\r\nPublished: 2024-06-22 · Archived: 2026-04-10 03:01:01 UTC\r\n11 min read\r\nDec 14, 2020\r\nIntroduction\r\nIn our modern era, one of the most prevalent threats to the computing world is ransomware. Ransomware is a\r\nform of malware that, once executed, encrypts files and the victim’s attached network shares (Columbus, 2019).\r\nOnce the files and connected network shares have become encrypted, the victim is presented with a ransom note\r\nthat generally states for a payment to be made in exchange for the private key to decrypt the victim’s data. This\r\nattack is crippling to victim organizations that need access to their files and data to maintain daily operations. The\r\ndisruptions from ransomware can cost companies millions in damages. The average ransomware payment is about\r\n$233,817, with the median cost of $110,532. Maze malware makes up 13.6% of the ransomware market share,\r\nlanding it in second place among top strands (Siegel 2020). It is estimated that ransomware caused $7.5 billion in\r\ndamages last year in the United States (O’Neill 2019). A research group at Emisoft tallied up 113 governments and\r\nagencies, 764 health-care providers, and up to 1,233 individual schools affected by ransomware in America\r\n(O’Neill 2019).\r\nThe incident reviewed in this paper is about the Maze ransomware attack on a Fortune 500 organization. The\r\norganization under attack was Cognizant, which was among the largest of the Maze ransomware victims. Maze\r\nransomware was initially discovered in May of 2019 by Jerome Segura, a researcher at Malwarebytes\r\n(Cybersecurity and HHS Cybersecurity Program 2020). Maze ransomware many initial access methods, post-exploitation methods, and data exfiltration techniques before encrypting victim data. The Maze ransomware\r\noperation is unique as it was the first notable version to add the element of extortion for enforcement of the\r\ndemanded ransom payment (Arntz 2020).\r\nCompanies like Cognizant are not well-positioned to protect their customer and employee data because, for them,\r\na robust Cybersecurity strategy is a cost-driven choice versus a legal requirement. Corporations are required to\r\nproduce profits for their shareholders as their primary mission, where Cybersecurity is an afterthought. Without a\r\ndis-incentive for non-compliance, there is no way to ensure that citizen PII will be secured appropriately.\r\nHistory of the problem\r\nhttps://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f\r\nPage 1 of 7\n\nThe history of the ransomware problem is prevalent and ever-present, however prosaic. The first significant strain\r\nof modern ransomware came into the forefront of the Cybersecurity industry in 2013 and was dubbed\r\n“CryptoLocker” (Kieran 2020). CyrptoLocker’s behavior was to use 2048-bit RSA encryption on all files for\r\nwhich it had access permissions under the context of the compromised user account. In the process of encrypting\r\nfiles, the file names were simultaneously changed to have extensions such as “.cryptolocker” (Petters 2020). A text\r\nfile would be left on the desktop titled “DECRYPT_INSTRUCTION,” containing steps toward recovering the\r\nvictim’s data (Petters 2020). Victims would be instructed to transfer some amount of bitcoin to a digital wallet\r\ncontrolled by the attacker(s) in exchange for the encryption key to decrypt their data (Kieran 2020). After the\r\nCyptoLocker campaign’s success, which earned more than $3 million, many new strains and variants of\r\nransomware were released by the criminal underground (Groot 2020).\r\nRansomware variants ran into many problems when it came to receiving payments. At times there were\r\ndifficulties collecting payment due to attackers failing to keep their side of the deal (Hartwig 2016). Attacker\r\nreputations would be ruined after not following through with their side of the transaction. Attackers that did not\r\nissue the decryption key in exchange for the ransom discouraged future victims from bothering to make ransom\r\npayments. Large corporations also implemented proper backup solutions to revert to a previous backup without\r\nmaking the ransom payment. Also, they deployed cyber defense tools to not only detect but, in some cases,\r\nprevent the malware from running. At a certain point, researchers released tools for free called “decryptors” that\r\ndecrypt victim files without paying the attackers.\r\nThe ransomware industry in 2019 produced an estimated 7.5 billion in revenues (Hartwig 2020). Trends seem to\r\nsuggest the market will grow to 20 billion by 2021 (Cook 2020). Many ransomware variants have been reverse-engineered. The reverse-engineered code has been publicly posted on GitHub for anyone to study. One can only\r\nspeculate that with the news and source code of many ransomware variants publicly available, Maze developers\r\nfound a way to refine their malware to achieve tremendous financial success. Maze, unlike its predecessors, added\r\nthe elements of exfiltration and extortion (Arntz 2020). The exfiltration of plaintext data allowed the group to\r\nblackmail their victims into paying the ransom demanded under the threat of releasing the private data publicly.\r\nThis extortion tactic paid dividends as it removed the option for non-payment as the cost of non-payment may ruin\r\nthe victim organization’s reputation beyond repair.\r\nExtent of the problem\r\nThe Maze ransomware variant affected many people. The people involved include large corporations, the\r\nemployees of those large corporations, their investors, and the citizens whose data became the product consumed\r\nby the Maze Gang. Public news announced that one victim corporation was known as Southwire, a wire and cable\r\nmanufacturer, had a 6-million-dollar ransom demanded (Sheridan 2020) while another anonymous company had\r\n15 million demanded (Whittaker 2020). Cognizant estimates a $50 — $70 million loss as the attack has them\r\npaying a ransom, investigation services, legal expenses, restoration, and remediation costs (Cimpanu 2020).\r\nCognizant’s investors have likely been startled, causing expected investment losses, which are probably figured\r\ninto the estimation, as the corporate entity is publicly traded in the stock exchange. Many customers of Cognizant\r\nhave revoked access to their networks (Javier 2020); thus, Cognizant cannot, at least temporarily, service those\r\ncustomers.\r\nhttps://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f\r\nPage 2 of 7\n\nApplying the Diamond Model\r\nAdversary\r\nThe adversary operator and adversary customer, in this case, are the same, the Maze Gang. The Maze Gang is an\r\nanonymous underground criminal operation. The adversary has developed a well-known form of ransomware\r\ncoined, “Maze Ransomware.” The adversary’s intent is financial as they hold victim data for ransom money under\r\nthreat of extortion.\r\nVictim\r\nCognizant is a Fortune 500 Managed Service Provider with 283,100 employees and revenue of $16.8 billion in\r\n2019 as touted by cognizant.com. Cognizant is a worldwide operation with customers all over the globe.\r\nCognizant publicly disclosed their Maze ransomware incident on April 18, 2020 (Culafi 2020).\r\nCapability\r\nThe Maze Gang has many capabilities, including their custom-developed advanced Maze ransomware. They have\r\nexercised spam and spear-phishing coupled with Microsoft Word documents containing malicious macros to\r\ntrigger the installation of their Maze ransomware. The use of remote access trojan, Cobalt Strike Beacons, have\r\nbeen identified across multiple victims. The use of exploit kits, including Fallout EK and Spelevo EK, have been\r\nused to gain initial footholds on victim networks (Kennelly 2020). PowerShell scripts have been used to transfer\r\nvictim data via FTP. The Maze Gang has published collected victim records on their website\r\nhttp://mazenews[.]top. The Gang’s command and control were hosted behind many IP addresses; many were\r\nLithuanian and Russian, as can be referenced in this paper’s Infrastructure section. The Maze Gang has shown to\r\nuse Cobalt Strike Beacons and Meterpreter agents, which indicate that the C2 infrastructure at a minimum\r\ncontains a Metasploit server and a Cobalt Strike server.\r\nInfrastructure\r\nThe Maze infrastructure contains an FTP server for data exfiltration purposes. Command and control callbacks\r\nhave been witnessed by many sources reaching out to many Russian IP addresses included in the following\r\nranges: 91.218.114.11/32, 91.218.114.12/30, 91.218.114.16/29, and 91.218.114.24/31 (Kennelly 2020). These\r\naddresses may be nothing more than proxies and a tactic to misdirect researchers or deter law enforcement\r\nagencies. The Gang controls several domains as well, including mazenews[.]top, newsmaze[.]top, and\r\nmazedecrypt[.]top (Kennelly 2020), where the group publicly posted data of victims that did not pay the ransom\r\n(Schwartz 2020). These domains were active in Ireland, running web servers within World Hosting Farm Limited,\r\nwhich inadvertently hosted the Maze Operation’s web front (Schwartz 2020).\r\nTechnology Meta-Feature\r\nCybersecurity research groups have discovered technologies frequently paired with Maze ransomware. Known\r\nprecursors to Maze ransomware include the use of Meterpreter (RAT), Cobalt Strike’s Beacon (RAT), Mimikatz (a\r\ntool frequented to steal credentials), Bloodhound (for mapping the shortest path to domain administrator), encoded\r\nhttps://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f\r\nPage 3 of 7\n\nPowerShell scripts executed for malicious downloads as well as FTP file exfiltration, and batch scripts for large\r\nscale deployment of the Maze ransomware across a Window’s domain (Kennelly 2020). Once the precursor\r\nactivities have been completed and the Maze ransomware is installed, critical data is encrypted, and a ransom\r\nletter is left in every directory possible with the file name “DECRYPT-FILES.txt” (Walter 2020). The ransom\r\nletter contains instructions on how to pay the ransom along with a threat to release stolen data publicly if payment\r\nis not received.\r\nGet Killbit’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThese attack tools are ubiquitous for both white hat hackers known as Penetration Testers and Red Team\r\nOperators for legitimate testing purposes. As such, creating indicators of compromise in defensive toolings such as\r\nIntrusion Detection Systems, Advanced Endpoint Threat Detection tools, and even antivirus solutions are\r\nrelatively trivial and, in most cases, already exist. The fact that Cognizant did not detect the activity before losing\r\ncustomer and employee PII is a testament to how neglectful they have been with their internal Cybersecurity\r\noperation expenditures. Suppose Cognizant (and other victims) had proper security in place, IoCs could have been\r\nimplemented to detect or even prevent many malicious precursor activities; thus, they could have actively booted\r\nthe attackers off their network(s).\r\nSocial-Political Meta-Feature\r\nThe victim organization in this campaign provided the adversary the product of customer and employee personally\r\nidentifiable information (PII). The adversary’s intent was financially motivated with the purpose of economic\r\nespionage, extortion, and public shaming. The adversary pulled off a “smash and grab” operation. They stole the\r\nvictim’s valuable data, encrypted their file systems, and proceeded to extort the victim for money, threatening to\r\nrelease the data publicly. The approach establishes the adversary as non-persistent and can be marked as\r\n“Fleeting” on the persistence spectrum. The extortion technique prevents the victim from simply restoring their\r\nsystems from backups to avoid the ransom. Cognizant could have chosen not to pay the ransom. The cost to\r\nCognizant would then have been private data public disclosure, which would have scarred its identity, and its\r\nclients as well as investors’ confidence. Thus, breaking these trust relationships would ultimately lead to losing\r\ncurrent and future customers and current and future investments in the organization.\r\nDiamond Model Diagram\r\nhttps://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f\r\nPage 4 of 7\n\nPolicy Assessment\r\nTo best address the imminent threat of ransomware attacks such as Maze, it would be best approached from a\r\npolicy perspective of layer 9, the national layer. The problem is a Nationwide issue and is not specific to any\r\nsingle organization, so it should be handled at the National level. The national-level civil rights approach is best\r\nbecause citizen data privacy is of the utmost importance. Any organization that wants to have the privilege of\r\nstoring valuable private citizen data should also be forced to protect it heavily. Market failure for Cyber Security is\r\nprevalent where many organizations, including Cognizant, do not adequately defend customer data. When\r\norganizations face the cost of securing customer data, the incentives are low. The price of a data breach is difficult\r\nto quantify. The likelihood of becoming a victim is equally a mystery to most organizations. The cost-benefit\r\nanalysis to justify expenditures on expensive experienced Cyber Security personnel and costly security tooling is\r\noften non-existent. Without specific risk details and given such a high cost of defensive measures, it is easy to see\r\nhow this strongly discourages organizations from readily adopting protections to secure citizen and customer data\r\nappropriately. While some publicly disclosed meta-level reports do come out sporadically from various sources\r\nconcerning the cost of Cyber breaches, it appears that decision-makers at the organizational level can’t help but\r\nhave some degree of cognitive dissonance. In other words, “Why should our organization bare the cost of these\r\nsecurity measures when it is possible that we are never attacked?” Many organizations have the misconception\r\nthat they can use legal action to threaten attackers and intimidate them, thus thwarting attacks and data leaks.\r\nOther organizations believe they can set aside enough money to account for losses as an operational expense that\r\ncan then be mitigated by purchasing Cyber Liability insurance alone. When left to the organization, the decision\r\nfor securing citizen data is a cost analysis. When under a profit-driven capitalist economic model, an inherent\r\nconflict exists between reducing expenses to raise profits and data security’s optional expense.\r\nConclusion\r\nhttps://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f\r\nPage 5 of 7\n\nCompanies do not adopt healthy security postures to protect their customer and employee data because it is a\r\nsizeable and currently optional expense — the evolution of ransomware trending towards Ransomware-as-a-Service (Keijzer 2020, 106–108) virtually guarantees that it will continue to propagate at alarming rates. The\r\nextensive cost of Maze-like ransomware will continue to be paid by corporations, stockholders, employees, and\r\ncitizens until National layer action is taken. The Diamond model analysis provided laid out the components of the\r\nincident. If the government operating at the national societal layer passed a law to enforce compliance with\r\nminimum data security standards concerning citizen data, this would remove the inter-organizational struggle to\r\njustify the cost and force it to become a cost of doing business-specific nation. In addition to putting a law in\r\nplace, a third-party compliance agency or agencies should be established to certify each organization’s\r\ncompliance. A law is likely the only way to force all industries to protect citizen and customer data sufficiently.\r\nWithout a dis-incentive for non-compliance, there is no way to ensure that citizen PII will be secured\r\nappropriately.\r\nIf you like my content and the work I have provided here please consider sending some coffee love my way @\r\nhttps://www.buymeacoffee.com/killbit\r\nReferences\r\n3/29/2020, Jeff Petters Updated: 2020. “CryptoLocker: Everything You Need to Know.” Inside Out Security.\r\nMarch 30. https://www.varonis.com/blog/cryptolocker/.\r\n6/19/2020, Kieran Laffan Updated: 2020. “A Brief History of Ransomware.” Inside Out Security. June 20.\r\nhttps://www.varonis.com/blog/a-brief-history-of-ransomware/.\r\nArntz, Pieter. 2020. “Maze: the Ransomware That Introduced an Extra Twist.” Malwarebytes Labs. May 28.\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist/.\r\nCimpanu, Catalin. 2020. “Cognizant Expects to Lose between $50m and $70m Following Ransomware Attack.”\r\nZDNet. ZDNet. May 8. https://www.zdnet.com/article/cognizant-expects-to-lose-between-50m-and-70m-following-ransomware-attack/.\r\nColumbus, Louis. 2019. “Shadow IT Is The Cybersecurity Threat That Keeps Giving All Year Long.” Forbes.\r\nForbes Magazine. December 15. https://www.forbes.com/sites/louiscolumbus/2019/12/15/shadow-it-is-the-cybersecurity-threat-that-keeps-giving-all-year-long/?sh=10d90c8e5561.\r\nCook, Sam. 2020. “50+ Ransomware Statistics \u0026 Facts for 2018–2020.” Comparitech. November 16.\r\nhttps://www.comparitech.com/antivirus/ransomware-statistics/.\r\nCulafi, Alexander. 2020. “Cognizant Discloses Maze Ransomware Attack.” SearchSecurity. TechTarget. April 20.\r\nhttps://searchsecurity.techtarget.com/news/252481892/Cognizant-discloses-Maze-ransomware-attack.\r\nGroot, Juliana De. 2020. “A History of Ransomware Attacks: The Biggest and Worst Ransomware Attacks of All\r\nTime.” Digital Guardian. October 6. https://digitalguardian.com/blog/history-ransomware-attacks-biggest-and-worst-ransomware-attacks-all-time.\r\nhttps://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f\r\nPage 6 of 7\n\nHartwig, Chris. 2016. “Ransomware Variant Won’t Decrypt Files After Ransom Paid.” WatchPoint Security Blog.\r\nJuly 27. https://blog.getcryptostopper.com/ransomware-variant-wont-decrypt-files-after-ransom-paid.\r\nCybersecurity, and HHS Cybersecurity Program. 2020. Maze Ransomware. Vol. 202006041030. Washington DC,\r\nVA: HHS.\r\nJavier, Rozelle Alyssa. 2020. “Cyber Insurers Brace for Payout after Cognizant Breach — Insurance Insider.”\r\nCyber Insurers Brace for Payout after Cognizant Breach — Insurance Insider | S\u0026P Global Market Intelligence.\r\nJuly 14. https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/cyber-insurers-brace-for-payout-after-cognizant-breach-8211-insurance-insider-59413789.\r\nKeijzer, Noel. 2020. “The New Generation of Ransomware — An in Depth Study of Ransomware-as-a-Service.”\r\nUniversity of Twente. June 25. http://essay.utwente.nl/81595/1/Keijzer_MA_EEMCS.pdf.\r\nKennelly, Jeremy. 2020. “Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE\r\nRansomware Incidents.” FireEye. May 7. https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html.\r\nO’Neill, Patrick Howell. 2020. “Ransomware May Have Cost the US More than $7.5 Billion in 2019.” MIT\r\nTechnology Review. MIT Technology Review. April 2.\r\nhttps://www.technologyreview.com/2020/01/02/131035/ransomware-may-have-cost-the-us-more-than-75-billion-in-2019.\r\nSchwartz, Mathew J. 2020. “Maze Ransomware Victim Sues Anonymous Attackers.” Bank Cybersecurity.\r\nJanuary 3. https://www.bankinfosecurity.com/maze-ransomware-victim-sues-anonymous-attackers-a-13574.\r\nSheridan, Kelly. 2020. “Ransomware Victim Southwire Sues Maze Operators.” Dark Reading. Dark Reading.\r\nJanuary 3. https://www.darkreading.com/threat-intelligence/ransomware-victim-southwire-sues-maze-operators/d/d-id/1336719.\r\nSiegel, Bill. 2020. “Q3 Ransomware Demands Rise: Maze Sunsets \u0026 Ryuk Returns.” Coveware. Coveware:\r\nRansomware Recovery First Responders. November 4. https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report.\r\nWalter, Jim. 2020. “Maze Ransomware Update: Extorting and Exposing Victims.” SentinelLabs. August 6.\r\nhttps://labs.sentinelone.com/maze-ransomware-update-extorting-and-exposing-victims/.\r\nWhittaker, Zack. 2020. “Maze, a Notorious Ransomware Group, Says It’s Shutting Down.” TechCrunch.\r\nTechCrunch. November 2. https://techcrunch.com/2020/11/02/maze-ransomware-group-shutting-down/.\r\nSource: https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd\r\n723f\r\nhttps://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f"
	],
	"report_names": [
		"applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f"
	],
	"threat_actors": [],
	"ts_created_at": 1775791264,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/156a1591473f0bdb48d2a101e9145ecf98f2b9f8.pdf",
		"text": "https://archive.orkl.eu/156a1591473f0bdb48d2a101e9145ecf98f2b9f8.txt",
		"img": "https://archive.orkl.eu/156a1591473f0bdb48d2a101e9145ecf98f2b9f8.jpg"
	}
}