Maze Ransomware Now Encrypts Victims Data Via Virtual Machines

Maze Ransomware Now Encrypts Victims Data Via Virtual Machines


The Maze ransomware operators implemented a new detection avoidance technique and now encrypts targets files in a virtual machine with their malware. This type of attack was first implemented by Ragnar Locker in May when  Ragnar Locker uses Windows XP virtual machines to encrypt victim files while bypassing windows security protocols.


Ragnar could have given assistance with this method of attack to Maze. Since Maze used Windows 7, the total attack size was significantly higher at 2,6 GB.


The malware uses a VMware functionality to share the directories and devices in a virtual machine as a shared network. The virtual system mounts the shared path to acquire its data as a network drive from \VBOXSVR. 


This technique kills the Antivirus software on the victim's computer/host making the executable files and virtual machine activities undetectable. 


Sophos' Peter Mackenzie confirmed the attack at their London incident response centre and Hackers Review confirmed it on May 28. Sophos Intercept X function blocked the ransom attempt. Threat attackers are expected to deal with chrome browser software updates and security fixes for Microsoft Windows Update to initiate the strike. They are also supposed to have used a batch file which has been mounted with a Windows 7virtual machine for the VirtualBox VM database server.

Previous Post Next Post