Maze ransomware now encrypts via virtual machines to evade detection

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,165
Content source
https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/
[...] While performing an incident response for one of their customers, Sophos discovered Maze had attempted to deploy their ransomware twice but were blocked by Sophos' Intercept X feature.
For the first two attempts, the Maze attacker attempted to launch various ransomware executables using scheduled tasks named 'Windows Update Security,' or 'Windows Update Security Patches,' or 'Google Chrome Security Update.'
After the two failed attacks, Sophos' Peter Mackenzie told BleepingComputer that the Maze threat actors tried a tactic previously used by the Ragnar Locker ransomware.
In their third attack, Maze deployed an MSI file that installed the VirtualBox VM software on the server along with a customized Windows 7 virtual machine. [...]
Click to expand...
Full report by researchers from Sophos: Maze attackers adopt Ragnar Locker virtual machine technique
 
Last edited:
  • Like
  • Wow
  • +Reputation
Reactions: Nevi, struppigel, Andy Ful and 8 others
[correlate]

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
The Maze ransomware operators have adopted a tactic previously used by the Ragnar Locker gang; to encrypt a computer from within a virtual machine.

In May, we previously reported that Ragnar Locker was seen encrypting files through VirtualBox Windows XP virtual machines to bypass security software on the host.
The virtual machine would mount a host's drives as remote shares and then run the ransomware in the virtual machine to encrypt the share's files.
Click to expand...
www.bleepingcomputer.com

Maze ransomware now encrypts via virtual machines to evade detection

The Maze ransomware operators have adopted a tactic previously used by the Ragnar Locker gang; to encrypt a computer from within a virtual machine.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: Nevi, struppigel, ZeroDay and 6 others
SpiderWeb

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
475
That's incredibly sophisticated. Meanwhile, AVs still aren't sandboxed much less operating from their own virtual environment. If these malware writers sat together and wrote an AV they would probably be the best in the industry lol.
 
  • Like
Reactions: Nevi, ZeroDay, [correlate] and 5 others
[correlate]

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
SpiderWeb said:
That's incredibly sophisticated. Meanwhile, AVs still aren't sandboxed much less operating from their own virtual environment. If these malware writers sat together and wrote an AV they would probably be the best in the industry lol.
Click to expand...
Yes, they excel
They also cooperate with each other and share knowledge
They may succeed in solving their interest in protection rather than penetration.
 
  • Like
Reactions: Nevi and upnorth
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Malware News The Week in Ransomware - April 5th 2024 - Virtual Machines under Attack
Replies
0
Views
1,197
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Shadowra
    • +Reputation
    • Like
Malware News StopCrypt: Most widely distributed ransomware evolves to evade detection
Replies
3
Views
993
Security News
Victor M
Victor M
Gandalf_The_Grey
    • Wow
    • Like
    • HaHa
Ransomware gangs abuse Process Explorer driver to kill security software
Replies
15
Views
2,369
News Archive
Trident
Trident

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top