{
	"id": "20969c7e-a243-4484-b4d5-7d973bcf1929",
	"created_at": "2026-04-06T00:12:48.907689Z",
	"updated_at": "2026-04-10T03:20:16.463637Z",
	"deleted_at": null,
	"sha1_hash": "7cc28a4e947ddca3cfbb9c65e15aefdb8dea6af4",
	"title": "IT services giant Cognizant suffers Maze Ransomware cyber attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1122204,
	"plain_text": "IT services giant Cognizant suffers Maze Ransomware cyber attack\r\nBy Lawrence Abrams\r\nPublished: 2020-04-18 · Archived: 2026-04-05 18:36:04 UTC\r\nInformation technologies services giant Cognizant suffered a cyber attack Friday night allegedly by the operators of the\r\nMaze Ransomware, BleepingComputer has learned.\r\nCognizant is one of the largest IT managed services company in the world with close to 300,000 employees and over $15\r\nbillion in revenue.\r\nAs part of its operations, Cognizant remotely manages its clients through end-point clients, or agents, that are installed on\r\ncustomer's workstations to push out patches, software updates, and perform remote support services.\r\nhttps://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/\r\nPage 1 of 5\n\nhttps://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nOn Friday, Cognizant began emailing their clients, stating that they had been compromised and included a \"preliminary list\r\nof indicators of compromise identified through our investigation.\" Clients could then use this information to monitor\r\ntheir systems and further secure them.\r\nThe listed IOCs included IP addresses of servers and file hashes for the kepstl32.dll, memes.tmp, and maze.dll files.\r\nThese IP addresses and files are known to be used in previous attacks by the Maze ransomware actors.\r\nThere was also a hash for a new unnamed file, but there is no further information about it.\r\nSecurity research Vitali Kremez has released a Yara rule that can be used to detect the Maze Ransomware DLL.\r\nWhen we contacted the Maze operators about this attack, they deny being responsible.\r\nIn the past, Maze has been reticent to discuss attacks or victims until negotiations stall. As this attack is very recent, Maze is\r\nlikely not discussing it to avoid complications in what they hope would be potential ransom payment.\r\nAfter reporting on this attack, Cognizant posted a statement to their web site that confirms the cyber attack was by Maze\r\nRansomware:\r\nCognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of\r\nour clients, is the result of a Maze ransomware attack.\r\nOur internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident. \r\nCognizant has also engaged with the appropriate law enforcement authorities.\r\nWe are in ongoing communication with our clients and have provided them with Indicators of Compromise (IOCs) and other\r\ntechnical information of a defensive nature. \r\nThreat actors were likely on the network for weeks\r\nIf the Maze operators conducted this attack, they were likely present in Cognizant's network for weeks, if not longer.\r\nhttps://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/\r\nPage 3 of 5\n\nWhen enterprise-targeting ransomware operators breach a network, they will slowly and stealthily spread laterally\r\nthroughout the system as they steal files and steal credentials.\r\nOnce the attackers gain administrator credentials on the network, they will then deploy the ransomware using tools like\r\nPowerShell Empire.\r\nIf it was Maze, it must be treated as a data breach\r\nBefore deploying ransomware, the Maze operators always steal unencrypted files before encrypting them.\r\nThese files are then used as further leverage to have the victim pay the ransom as Maze will threaten to release the data if a\r\nvictim does not pay.\r\nChubb info on Maze news site\r\nThese are not idle threats as Maze has created a \"News' site that is used to publish stolen data from non-paying victims.\r\nIf Maze was not behind the attack as they claim, there is still a good chance that data was stolen as that has become a\r\nstandard tactic used by ransomware operators.\r\nFor this reason, all ransomware attacks must be treated as data breaches.\r\nThis is a developing story.\r\nhttps://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/\r\nhttps://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/"
	],
	"report_names": [
		"it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434368,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7cc28a4e947ddca3cfbb9c65e15aefdb8dea6af4.pdf",
		"text": "https://archive.orkl.eu/7cc28a4e947ddca3cfbb9c65e15aefdb8dea6af4.txt",
		"img": "https://archive.orkl.eu/7cc28a4e947ddca3cfbb9c65e15aefdb8dea6af4.jpg"
	}
}