Taking a tip from their peers, the cyber criminal operators of the Maze ransomware appear to have started to distribute ransomware payloads inside the virtual hard drive of a malicious virtual machine (VM), according to analysts at Sophos’ Managed Threat Response unit.
This technique was pioneered by the group behind Ragnar Locker earlier in 2020 – Ragnar Locker being one of a number of ransomware groups to have come together with Maze to form a cartel-like operation.
Now, with a few tweaks, the technique is being incorporated into Maze’s playbook as well, according to Sophos principal researcher Andrew Brandt and incident response team lead Peter Mackenzie, who have been analysing it.
During their probe into an incident at an unnamed Sophos customer, Brandt and Mackenzie found that the Maze gang had actually penetrated the target network a few days previously and had twice attempted to upload their ransomware payload and demanded a ransom of $15m, which was not paid.
However, these attempts were both thwarted by existing Sophos tools that were present, so they decided to try the borrowed Ragnar Locker technique instead. This was spotted and stopped because the Sophos team that responded to it was the same team that responded to the Ragnar Locker attack in which the technique was first seen.
In the previous attack, the Ragnar Locker ransomware was deployed in an Oracle VirtualBox Windows XP VM. The Maze gang took a slightly adapted approach, using a Windows 7 machine, not an XP one, which increased the size of the virtual disk quite significantly and added new functionality that was not available to the Ragnar Locker group.
However, the fundamentals of the attack were found to be identical. The Maze payload was again contained in a VirtualBox .vdi file and delivered via a Windows .msi installer file. Included within the .msi file was a decade-old copy of the VirtualBox hypervisor that ran the VM and was a so-called “headless” device, without a user-facing interface.
“The attack chain uncovered by Sophos threat responders highlights the agility of human adversaries and their ability to quickly substitute and reconfigure tools and return to the ring for another round,” said Mackenzie.
“The use of a noisy Ragnar Locker virtual machine technique, with its big footprint and CPU usage, could reflect a growing frustration on the part of the attackers after their first two attempts to encrypt data failed.”
Brandt and Mackenzie said the Maze threat actors were proving increasingly adept at adopting techniques that have already been proved successful by other groups, including the use of extortion to extract payment from victims.
“As endpoint protection products improve their abilities to defend against ransomware, attackers are forced to expend greater effort to make an end-run around those protections,” they said.
More technical details of the new Maze technique is available from Sophos, and indicators of compromise are available via GitHub.