The Maze ransomware operators now use a virtual machine to encrypt a computer, a tactic previously adopted by the Ragnar Locker malware.
The Maze ransomware operators have adopted a new tactic to evade detection, their malware now encrypts a computer from within a virtual machine. This technique was first adopted by Ragnar Locker gang in May, at the time the Ragnar Locker was deploying Windows XP virtual machines to encrypt victimâs files while bypassing security measures.
The malware leverages a VirtualBox feature that allows the host operating system to share folders and drives as a network share inside a virtual machine. The virtual machine mounts the shared path as a network drive from the \VBOXSVR virtual computer to access their content.
The virtual machine then runs the ransomware in the virtual machine to encrypt the shareâs files.
As the security software running on the victimâs host will not detect the ransomware executable or activity on the virtual machine, it will happily keep running without detecting that the victimâs files are now being encrypted.
Now Maze ransomware operators are using the same technique, according to researchers from Sophos that blocked some of their attacks.
âWhile conducting an investigation into an attack in July in which the attackers repeatedly attempted to infect computers with Maze ransomware, analysts with Sophosâ Managed Threat Response (MTR) discovered that the attackers had adopted a technique pioneered by the threat actors behind Ragnar Locker earlier this year, in which the ransomware payload was distributed inside of a virtual machine (VM).â reads the analysis published by Sophos.
In the two attempts blocked by the Sophos end-point, the Maze operators attempted to launch various ransomware executables using scheduled tasks named âWindows Update Security,â or âWindows Update Security Patches,â or âGoogle Chrome Security Update.â
In the third attack blocked by Sophos, Maze ransomware operators deployed an MSI file that installed the VirtualBox VM software on the server along with a customized Windows 7 virtual machine.
Upon executing the virtual machine, a batch file named startup_vrun.bat batch file would be executed that drops the Maze executables in the machine.
The startup_vrun.bat file is located at c:usersAdministratorAppDataRoamingMicrosoftWindowsStart MenuStartup to achieve persistence.
âThe root of that virtual disk contained three files associated with the Maze ransomware: preload.bat, vrun.exe, and a file just named payload (with no file extension), which is the actual Maze DLL payload.â continues the analysis.
âThe script copies the same three files found on the root of the VM disk (the vrun.exe and payload DLL binaries, and the preload.bat batch script) to other disks, then issues a command to shut down the computer immediately. When someone powers the computer on again, the script executes vrun.exe.â
The machine is then shut down, after restarting it the vrun.exe will be launched to encrypt the hostâs files.
Experts pointed out that the size of the disk used in this attack is greater than the one observed in the previous Ragnar Lockerâs attacks.
The Ragnar Locker attack used a VM containing a Windows XP image that was only 404 MB in size. As Maze used Windows 7 image, the size of the file employed was of 2.6 GB.
âThe Maze threat actors have proven to be adept at adopting the techniques demonstrated to be successful by other ransomware gangs, including the use of extortion as a means to extract payment from victims.â concludes the report. âAs endpoint protection products improve their abilities to defend against ransomware, attackers are forced to expend greater effort to make an end-run around those protections.â
(SecurityAffairs â hacking, Maze ransomware)
