Maze ransomware is one of the most dangerous cyber-criminal groups around today with ransom demands over six figures and if the victim does not pay, they threaten to leak stolen data. The group’s new tactic to evade detection is to use virtual machines to distribute their ransomware payloads. Maze got their inspiration from Ragnar Locker which previously used this technique. Security researchers at Sophos discovered this while investigating a Maze attack in July. After the Maze operators have access to a victim’s network, they deliver a Microsoft Installer (.msi) file, about 700MB in size, containing an old version of Oracle’s VirtualBox software and a virtual disk image (.vdi) file. The attackers can then use the virtual machine to map the file folders on the victim computer or network to the virtual machine and run their ransomware from the virtual machine rather than on the victim machine directly, so that the malware can run under the radar without being detected by any endpoint security software.