Maze Ransomware Adopts Ragnar Locker Virtual-Machine Approach
According to researchers with Sophos Managed Threat Response, the operators behind Maze ransomware have been adopting tactics from rival cybercrime organizations, adding a dangerous new feature. Maze ransomware can now distribute ransomware payloads through virtual machines. According to researchers, this is a “radical” approach that aims to avoid endpoint defense.
The Maze operators were recently observed by cybersecurity researchers distributing malware in the form of a VirtualBox virtual disk image within a Windows MSI file. This type of file is a format utilized for the installation and removal of programs on a device. The attackers used a stripped-down, decades-old copy of the VirtualBox hypervisor. The file appears to be trusted by the virtual machine, allowing it to then run the software, helping the ransomware to avoid detection.