This ransomware has borrowed a sneaky trick for delivering malware to its victims

4 years ago
September 17, 2020
5 replies
64 views

+54

Jasper_The_Rasper
Moderator
11621 replies

Ransomware group has borrowed a successful technique from another gang which makes it harder to spot when malware is being spread.

September 17, 2020 By Danny Palmer

One of the most dangerous cyber criminal ransomware operations around today has deployed a new tactic to help attacks stay undetected until it's too late, one most likely borrowed from another ransomware group.

What makes Maze so dangerous is that as well as demanding a six-figure – or higher – sum of bitcoin in exchange for the decryption key, they threaten to publish stolen internal data if their extortion demands aren't met.

The group is already skilled at infiltrating the networks of organisations but now they've adopted a new tactic which makes it even harder for victims to detect that there are outsiders on the network by using virtual machines to distribute the ransomware payload.

Full Article.

AndyAnd
Fresh Face
2 replies
4 years ago
September 18, 2020

Thanks for the information about Maze ransomware. Is Webroot able to detect the creation of a virtual machine by Maze ?

+54

Jasper_The_Rasper
Author
Moderator
11621 replies
4 years ago
September 18, 2020

Hi @AndyAnd
Maze has been around for quite a while so I would be surprised if it was not detected but I will ping one of our Threat Researchers @DanP who will confirm it for you.

+35

DanP
OpenText Employee
515 replies
4 years ago
September 18, 2020

We do detect Maze ransomware, but would not do so by detecting a VM used to distribute it.

Thanks,

-Dan

Webroot Threat Research

AndyAnd
Fresh Face
2 replies
4 years ago
September 19, 2020

DanP: Thank you for the response. I imagine Webroot would block the initial malware download from effectively launching the MSI installer to create the virtual machine. Does that sound correct?

Typically a user clicks on an attachment and is immediately infected. If the attachment is allowed to run completely, it would install the virtual machine. Then the ransomware app in the VM would run, encrypting files on other drives.

“In the Maze incident, the threat actors distributed the file-encrypting payload of the ransomware on the VM’s virtual hard drive (a VirtualBox virtual disk image (.vdi) file), which was delivered inside of a Windows .msi installer file more than 700MB in size.”

https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/

+35

DanP
OpenText Employee
515 replies
4 years ago
September 21, 2020

AndyAnd wrote:

DanP: Thank you for the response. I imagine Webroot would block the initial malware download from effectively launching the MSI installer to create the virtual machine. Does that sound correct?

https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/

From the write-up this was not a simple case of a user clicking on an attachment. This was a far more targeted attack. The attackers had access to the network for thee to six days before they deployed the ransomware themselves using the VM technique.

-Dan

Webroot Threat Research

Ransomware group has borrowed a successful technique from another gang which makes it harder to spot when malware is being spread.

Reply

Related Topics

Using Gong's calls API, any way to sort results by date descending? Meaning getting the most recently recorded calls first.icon

Three ways to Improve Performance and Consistency with Gong

API: Querying by "Account name" in the API callicon

Collaboration for Deal Success - Working Together to Win More

Q3 2022 Product Buzz Recap 10/26/2022

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded