Skip to main content
Customer Support Customer Support

This ransomware has borrowed a sneaky trick for delivering malware to its victims

  • September 17, 2020
  • 5 replies
  • 64 views
Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54

Ransomware group has borrowed a successful technique from another gang which makes it harder to spot when malware is being spread.

 

September 17, 2020 By Danny Palmer  

 

One of the most dangerous cyber criminal ransomware operations around today has deployed a new tactic to help attacks stay undetected until it's too late, one most likely borrowed from another ransomware group.

What makes Maze so dangerous is that as well as demanding a six-figure – or higher – sum of bitcoin in exchange for the decryption key, they threaten to publish stolen internal data if their extortion demands aren't met.

The group is already skilled at infiltrating the networks of organisations but now they've adopted a new tactic which makes it even harder for victims to detect that there are outsiders on the network by using virtual machines to distribute the ransomware payload.

 

Full Article.

    5 replies

    A
    Fresh Face
    • AndyAnd
    • Fresh Face
    • 2 replies
    • September 18, 2020

    Thanks for the information about Maze ransomware. Is Webroot able to detect the creation of a virtual machine by Maze ?

    Jasper_The_Rasper
    Moderator
    Forum|alt.badge.img+54

    Hi @AndyAnd 
    Maze has been around for quite a while so I would be surprised if it was not detected but I will ping one of our Threat Researchers  @DanP  who will confirm it for you.

     

    DanP
    Forum|alt.badge.img+35
    • DanPOpenText Employee
    • OpenText Employee
    • 515 replies
    • September 18, 2020

    We do detect Maze ransomware, but would not do so by detecting a VM used to distribute it. 

     

    Thanks,

     

    -Dan

    Webroot Threat Research
    Jasper_The_Rasper
    1 person likes this
    • Jasper_The_Rasper
      Jasper_The_Rasper
    A
    Fresh Face
    • AndyAnd
    • Fresh Face
    • 2 replies
    • September 19, 2020

    DanP: Thank you for the response. I imagine Webroot would block the initial malware download from effectively launching the MSI installer to create the virtual machine. Does that sound correct?

    Typically a user clicks on an attachment and is immediately infected. If the attachment is allowed to run completely, it would install the virtual machine. Then the ransomware app in the VM would run, encrypting files on other drives.

    “In the Maze incident, the threat actors distributed the file-encrypting payload of the ransomware on the VM’s virtual hard drive (a VirtualBox virtual disk image (.vdi) file), which was delivered inside of a Windows .msi installer file more than 700MB in size.”

    https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/

    Jasper_The_Rasper
    1 person likes this
    • Jasper_The_Rasper
      Jasper_The_Rasper
    DanP
    Forum|alt.badge.img+35
    • DanPOpenText Employee
    • OpenText Employee
    • 515 replies
    • September 21, 2020
    AndyAnd wrote:

    DanP: Thank you for the response. I imagine Webroot would block the initial malware download from effectively launching the MSI installer to create the virtual machine. Does that sound correct?

    Typically a user clicks on an attachment and is immediately infected. If the attachment is allowed to run completely, it would install the virtual machine. Then the ransomware app in the VM would run, encrypting files on other drives.

    “In the Maze incident, the threat actors distributed the file-encrypting payload of the ransomware on the VM’s virtual hard drive (a VirtualBox virtual disk image (.vdi) file), which was delivered inside of a Windows .msi installer file more than 700MB in size.”

    https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/

     

    From the write-up this was not a simple case of a user clicking on an attachment. This was a far more targeted attack. The attackers had access to the network for thee to six days before they deployed the ransomware themselves using the VM technique. 

     

    -Dan

     

    Webroot Threat Research
    Jasper_The_Rasper
    1 person likes this
    • Jasper_The_Rasper
      Jasper_The_Rasper

    Reply


    Terms & Conditions