Maze ransomware criminals go virtual to evade detection

Frustrated by having their attacks thwarted for days, the Maze ransomware criminals resorted to using a virtual machine to get around endpoint protection, security vendor Sophos said.

Sophos investigated an attack by Maze that took place in July this year in which the ransomware criminals had penetrated a victim's network six days before trying to executing the file encryption payload.

The Maze gang mapped out the target network via a domain controller and succeeded in exfiltrating data to cloud storage provider Mega.nz and demanded a US$15 million (A$20.5 million) ransom.

However, the ransom was not paid and two efforts by Maze to execute the ransomware were quarantined and failed, Sophos researchers said.

Borrowing a technique from the earlier Ragnar Locker criminals, Maze put its ransomware payload inside an Oracle VirtualBox virtual machine to hide it from detection.

A $15M attack: Under pressure, Maze ransomware attackers resort to virtual machine trick from Ragnar Locker (upgraded to Windows 7 w/ easy payload swapping script). They were blocked again b/c of CryptoGuard (oet Twente) https://t.co/aZayfvxNij by @AltShiftPrtScn @threatresearch pic.twitter.com/oY6syPCUZM

— Mark Loman @�� (@markloman) September 17, 2020

The .msi installer file Maze used weighs in at 733 megabytes as it uses Windows 7, compared to just 122 MB for Ragnar Locker's Windows XP-based malware delivery set-up.

Expanded, the virtual machine Maze used was 1.9 gigabytes in size, and contained a 494 KB ransomware executable.

Despite the elaborate subterfuge employed by Maze, the virtual machine-based ransomware attack was detected and failed.