Disappointed by having their attacks thwarted for times, the Maze ransomware criminals resorted to making use of a virtual machine to get about endpoint safety, security seller Sophos claimed.
Sophos investigated an attack by Maze that took area in July this year in which the ransomware criminals had penetrated a victim’s network 6 times before trying to executing the file encryption payload.
The Maze gang mapped out the target network by way of a area controller and succeeded in exfiltrating knowledge to cloud storage supplier Mega.nz and demanded a US$fifteen million (A$20.five million) ransom.
However, the ransom was not compensated and two initiatives by Maze to execute the ransomware were quarantined and unsuccessful, Sophos scientists claimed.
Borrowing a strategy from the earlier Ragnar Locker criminals, Maze set its ransomware payload inside an Oracle VirtualBox virtual machine to hide it from detection.
A $15M attack: Beneath pressure, Maze ransomware attackers vacation resort to virtual machine trick from Ragnar Locker (upgraded to Home windows 7 w/ quick payload swapping script). They were blocked once more b/c of CryptoGuard (oet Twente) https://t.co/aZayfvxNij by @AltShiftPrtScn @threatresearch pic.twitter.com/oY6syPCUZM
— Mark Loman @ (@markloman) September seventeen, 2020
The .msi installer file Maze utilised weighs in at 733 megabytes as it works by using Home windows 7, as opposed to just 122 MB for Ragnar Locker’s Home windows XP-centered malware shipping set-up.
Expanded, the virtual machine Maze utilised was 1.9 gigabytes in size, and contained a 494 KB ransomware executable.
Even with the elaborate subterfuge utilized by Maze, the virtual machine-centered ransomware attack was detected and unsuccessful.