Level 64
Content Creator
Malware Hunter
[...] While performing an incident response for one of their customers, Sophos discovered Maze had attempted to deploy their ransomware twice but were blocked by Sophos' Intercept X feature.
For the first two attempts, the Maze attacker attempted to launch various ransomware executables using scheduled tasks named 'Windows Update Security,' or 'Windows Update Security Patches,' or 'Google Chrome Security Update.'
After the two failed attacks, Sophos' Peter Mackenzie told BleepingComputer that the Maze threat actors tried a tactic previously used by the Ragnar Locker ransomware.
In their third attack, Maze deployed an MSI file that installed the VirtualBox VM software on the server along with a customized Windows 7 virtual machine. [...]
Full report by researchers from Sophos: Maze attackers adopt Ragnar Locker virtual machine technique
Last edited:


Level 14
The Maze ransomware operators have adopted a tactic previously used by the Ragnar Locker gang; to encrypt a computer from within a virtual machine.

In May, we previously reported that Ragnar Locker was seen encrypting files through VirtualBox Windows XP virtual machines to bypass security software on the host.
The virtual machine would mount a host's drives as remote shares and then run the ransomware in the virtual machine to encrypt the share's files.


Level 14
That's incredibly sophisticated. Meanwhile, AVs still aren't sandboxed much less operating from their own virtual environment. If these malware writers sat together and wrote an AV they would probably be the best in the industry lol.
Yes, they excel
They also cooperate with each other and share knowledge
They may succeed in solving their interest in protection rather than penetration.
  • Like
Reactions: Nevi and upnorth