New research from the Sophos threat response workforce has stumbled on the Maze ransomware gang has adopted ways pioneered by the cyber criminals within the lend a hand of Ragnar Locker
Taking a tip from their peers, the cyber felony operators of the Maze ransomware seem to have started to distribute ransomware payloads internal the digital harddrive of a malicious digital machine (VM), constant with analysts at Sophos’ Managed Possibility Response unit.
This device was pioneered by the neighborhood within the lend a hand of Ragnar Locker earlier in 2020 – Ragnar Locker being one of a assortment of ransomware teams to have arrive along with Maze to provide a cartel-like operation.
Now, with about a tweaks, the methodology is being integrated into Maze’s playbook as successfully, constant with Sophos essential researcher Andrew Brandt and incident response workforce lead Peter Mackenzie, who have been analysing it.
At some level of their probe into an incident at an unnamed Sophos customer, Brandt and Mackenzie stumbled on that the Maze gang had in truth penetrated the intention network about a days previously and had twice tried to upload their ransomware payload and demanded a ransom of $15m, which was no longer paid.
Alternatively, these attempts had been both thwarted by easy Sophos tools that had been most contemporary, so that they made up our minds to strive the borrowed Ragnar Locker methodology as a replacement. This was seen and stopped since the Sophos workforce that responded to it was the an identical workforce that responded to the Ragnar Locker assault by which the methodology was first considered.
Within the outdated assault, the Ragnar Locker ransomware was deployed in an Oracle VirtualBox Windows XP VM. The Maze gang took a a microscopic bit tailored manner, the protest of a Windows 7 machine, no longer an XP one, which elevated the size of the digital disk rather significantly and added new performance that was no longer out there to the Ragnar Locker neighborhood.
Alternatively, the fundamentals of the assault had been stumbled on to be an identical. The Maze payload was all another time contained in a VirtualBox .vdi file and delivered by a Windows .msi installer file. Incorporated internal the .msi file was a decade-veteran reproduction of the VirtualBox hypervisor that ran the VM and was a so-called “headless” tool, with out a user-facing interface.
“The assault chain uncovered by Sophos threat responders highlights the agility of human adversaries and their skill to fast substitute and reconfigure tools and return to the ring for one more spherical,” acknowledged Mackenzie.
“The utilization of a noisy Ragnar Locker digital machine methodology, with its mountainous footprint and CPU utilization, can even judge a rising frustration on the allotment of the attackers after their first two attempts to encrypt records failed.”
Brandt and Mackenzie acknowledged the Maze threat actors had been proving an increasing number of adept at adopting ways in which have already been proved successful by other teams, including the utilization of extortion to extract fee from victims.
“As endpoint security products beef up their abilities to defend in opposition to ransomware, attackers are compelled to dissipate elevated effort to assassinate an stop-bustle around these protections,” they acknowledged.
Extra technical info of the brand new Maze methodology is supplied from Sophos, and indicators of compromise are out there in by GitHub.
Philosophize Continues Below
Study more on Hackers and cybercrime prevention
![]()
Maze ransomware gang uses VMs to evade detection
By: Arielle Waldman
![]()
Maze ransomware ‘cartel’ expands with new people
By: Arielle Waldman
![]()
Avaddon ransomware operators having a hotfoot at double extortion
By: Alex Scroxton
![]()
How Dharma ransomware grew to change into an efficient products and services industry
By: Alex Scroxton
