The operators behind the Maze variant of ransomware are borrowing a technique previously seen with the Ragnar Locker ransomware gang.  This past May, security researchers noted a clever technique being used by Ragnar Locker that uses virtual machines to drop their malicious payload inside victim networks and go undetected by any security software.

After gaining access to the target network, Ragnar Locker was seen using a VirtualBox Windows XP virtual machine that mounts the physical system’s local drive as a remote share.  Since no security tools are installed on the virtual system and the security tools on the physical system may not be aware of any malware due to the VM mounting the local drives, this may go unnoticed by security teams.

An Incident Response team with Sophos spotted Maze recently using this technique too. After failing on three other attempts to infect the network they were attacking, Maze was observed running an MSI file that launched a Windows 7 VirtualBox image on the server they were attempting to attack.

Just like when Ragnar Locker used this method, Maze then ran a batch file named startup_vrun.bat that preps the system for launching the attack. Here is the code contained within the batch file:

After the script completes, the system will reboot and then execute vrun.exe which kicks off the malicious file encryption.

The Maze and Ragnar Locker ransomware groups appear to be part of the same cyber cartel, so the borrowing of techniques should not come as a surprise.  The Maze collective now includes Ragnar Locker, LockBit, Conti, and SunCrypt.  These teams appear to be all collaborating together on some level. This level of collaboration and sophistication should be very concerning to defenders on the front lines of protecting enterprise networks.

Based on cyber insurance claims during the first half of 2020, the Maze group is one of the most active on the scene.  The Maze group’s ransom demands are on average six-times higher than the average ransom demand.  Maze is also on the forefront of the relatively new double extortion technique.

Double extortion in ransomware is where the threat group not only demands a ransom to unlock encrypted data, but also steals data from its victims and threatens to release the data on the dark web if the victim organization doesn’t pay up. This technique is troublesome because before, if an organization had good back-ups, recovering from a ransomware event without paying the ransom was not a problem.  Now with the second layer of extortion thrown in the mix, it makes it harder for organizations not to pay and will only increase the profits of ransomware gangs.

This example of Maze launching a ransomware event from a virtual machine highlights how the tactics, techniques, and procedures (TTPs) of cyber advisories are always changing. In order to stay ahead of the ever changing offensive cyber strategies, security teams also need to keep evolving and growing in order to be aware of the current threats and adjust their security posture as needed.

In order to minimize the chances of becoming a victim, SpearTip recommends ensuring enterprise security teams have a reliable EDR tool installed on all endpoints, a SIEM tool to collect and aggregate log data, and a security team monitoring alerts on a 24/7 basis.  If an organization has the capabilities and doesn’t use VirtualBox, creating custom alerting to detect and/or block VirtualBox activity (or any VM software) would add an extra layer of defense from this specific attack technique.

SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.