valerybrozhinsky - stock.adobe.c

Maze ransomware gang uses VMs to evade detection

A Sophos investigation into a Maze ransomware attack revealed that threat actors borrowed an attack technique pioneered by Ragnar Locker operators earlier this year.

Threat actors behind Maze ransomware have adopted Ragnar Locker's technique of using virtual machines to evade detection, according to new research by Sophos.

The security vendor first observed this tactic, which distributes ransomware payload inside a virtual machine (VM), in May. Threat actors associated with the Ragnar Locker ransomware gang hid malicious code inside a Windows XP VM, which allowed the ransomware to run without being detected or blocked by security software on the endpoint.

In July, Sophos responded to a Maze ransomware attack against an unnamed organization that used a similar method. An investigation revealed that attackers repeatedly attempted to infect computers with ransomware while demanding a $15 million ransom, which was not paid. Initial attempts at infecting systems with ransomware were unsuccessful until the third try when operators used an enhanced version of Ragnar Locker's VM technique. The approach helps attackers by further evading detection by endpoint security products.

"The virtual machine was, apparently, configured in advance by someone who knew something about the victim's network, because its configuration file ('micro.xml') maps two drive letters that are used as shared network drives in this particular organization, presumably so it can encrypt the files on those shares as well as on the local machine. It also creates a folder in C:\SDRSMLINK\ and shares this folder with the rest of the network," Andrew Brandt, Sophos principal researcher, and Peter Mackenzie, incident response manager, wrote in the blog.

Sophos' investigation also revealed that attackers had penetrated the network at least six days prior to delivering the ransomware payload.

While the Maze ransomware attack was similar to Ragnar Locker's, it wasn't identical. For example, Maze attackers used a virtual Windows 7 machine instead of Windows XP.

"Physically, the files used by Maze were a lot larger. This was due to their virtual machine being a Windows 7, compared to Windows XP used by Ragnar Locker," Mackenzie said in an email to SearchSecurity. "However, this size increase included other benefits. The main one was that Maze changed the method to make it easier and quicker to change the ransomware payload files used in the attack. This would allow them to quickly adapt if the files were getting blocked."

This isn't the first connection between the Maze and Ragnar Locker ransomware gangs. In June, Maze operators announced the launch of a ransomware "cartel" that featured other gangs, including Ragnar Locker, in an effort to share resources and further extort victims to pay ransoms. Maze has become widely known for extorting victims by publishing stolen data on its leak site. When Maze recently added the data for a victim of a Ragnar Locker ransomware attack, the post referenced "Maze Cartel provided by Ragnar."

Though the Maze attack in July didn't copy Ragnar Locker's technique to the tee, Mackenzie said it is likely the ransomware gangs are working together.

"The 'Maze Cartel' at the time of the attack already included the groups behind Ragnar Locker and LockBit ransomware," he said. "Also, Maze was essentially outsourcing work due to the high level of potential targets. This indicates that these types of groups are evolving much like a legitimate business, and that is scaling up to meet demand. It is likely that the sharing of tactics, techniques and procedures is also occurring where it benefits the 'Maze Cartel' as a whole."

While the Maze cartel has apparently grown in recent months, it's unclear which gangs are actually part of the collective. According to a Bleeping Computer report last month, the operators of SunCrypt ransomware claimed to be working with Maze and engaging in two-way communications with the group. SearchSecurity reached out to the Maze operators for a comment, who denied any connection to SunCrypt.

"SunCrypt are idiots," Maze said via email. "They are idiots and all their similarities with us are in the name of the type of business. Their approach is low-level and we would never take them under our brand."

Dig Deeper on Application and platform security