Unencrypted data most likely were stolen
In two data breach notification letters [
1,
2] filed with the Office of the Attorney General of California, Cognizant states that the Maze Ransomware operators were active on Cognizant's network between April 9th and the 11th.
During the time they had access, they "likely exfiltrated a limited amount of data from Cognizant’s systems."
Before deploying ransomware and encrypting devices, the Maze Ransomware operators will first spread laterally through the network and steal unencrypted files.
These stolen files are then
used as an extortion tactic by threatening to publicly release the data on the
Maze data leak site if the victim does not pay the ransom.