Maze ransomware is one of the most dangerous cyber-criminal groups around today with ransom demands over six figures and if the victim does not pay, they threaten to leak stolen data. The group’s new tactic to evade detection is to use virtual machines to distribute their ransomware payloads. Maze got their inspiration from Ragnar Locker which previously used this technique. Security researchers at Sophos discovered this while investigating a Maze attack in July. After the Maze operators have access to a victim’s network, they deliver a Microsoft Installer (.msi) file, about 700MB in size, containing an old version of Oracle’s VirtualBox software and a virtual disk image (.vdi) file. The attackers can then use the virtual machine to map the file folders on the victim computer or network to the virtual machine and run their ransomware from the virtual machine rather than on the victim machine directly, so that the malware can run under the radar without being detected by any endpoint security software.
Analyst Notes
One of the steps an organization can do is to block the use of unnecessary applications on its machines, so attackers cannot exploit them. If most users of a corporate network do not need to run VirtualBox, it is appropriate to detect and block that software from running. Defenders can also set up detection for large virtual disk image (.vdi) files and launch an investigation if those files are found. Another method of prevention is to verify that all security patches are applied as soon as possible so attackers cannot exploit known vulnerabilities. Multi-factor authentication should also be applied to prevent stolen credentials from being used. It is also extremely important for organizations to know their networks and what they traditionally run so that if unusual activity is detected it can be identified and closed if necessary.
Source Article: https://www.zdnet.com/article/this-ransomware-has-borrowed-a-sneaky-trick-for-delivering-malware-to-its-victims
