Maze ransomware criminals go virtual to evade detection

By on
Maze ransomware criminals go virtual to evade detection

Close to 2 gigabyte virtual disk image hides payload.

Frustrated by having their attacks thwarted for days, the Maze ransomware criminals resorted to using a virtual machine to get around endpoint protection, security vendor Sophos said.

Sophos investigated an attack by Maze that took place in July this year in which the ransomware criminals had penetrated a victim's network six days before trying to executing the file encryption payload.

The Maze gang mapped out the target network via a domain controller and succeeded in exfiltrating data to cloud storage provider and demanded a US$15 million (A$20.5 million) ransom.

However, the ransom was not paid and two efforts by Maze to execute the ransomware were quarantined and failed, Sophos researchers said.

Borrowing a technique from the earlier Ragnar Locker criminals, Maze put its ransomware payload inside an Oracle VirtualBox virtual machine to hide it from detection.

The .msi installer file Maze used weighs in at 733 megabytes as it uses Windows 7, compared to just 122 MB for Ragnar Locker's Windows XP-based malware delivery set-up.

Expanded, the virtual machine Maze used was 1.9 gigabytes in size, and contained a 494 KB ransomware executable.

Despite the elaborate subterfuge employed by Maze, the virtual machine-based ransomware attack was detected and failed.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?