Maze ransomware operators are known for their innovative tactics and approaches, such as the launch of a dedicated Maze news site and the creation of a cartel of ransomware operations to share resources and infrastructure with other cybercriminals. Recently, Maze threat actors have been observed adopting an innovative technique that has been successfully used by Ragnar Locker ransomware operators earlier.
Hidnig through VMs
In an attempt to evade detection by endpoint protection, Maze has attempted using virtual machines (VMs) to deliver the payload.
- Recently, Sophos discovered that Maze ransomware operators followed a tactic used by the Ragnar Locker ransomware (earlier in May) to encrypt a computer from within a VM.
- During the operation, Maze delivered the attack payload in the form of a MSI installer file that contained an installer for VirtualBox 3.0.4 (both 32-bit and 64-bit versions).
- The attackers utilized Windows 7 VM making the overall package bulky (2.6 GB), while Ragnar Locker uses a Windows XP VM image creating a much smaller package size (404 MB).
The Maze threat growing bigger
Maze continues to grow its cartel of independent and competing ransomware operations.
- Recently, Maze and Conti were seen publishing personal data from two similar victims, suggesting a collaboration between the two groups.
- In August, SunCrypt ransomware claimed joining hands with the Maze group on a revenue-sharing model. Although, another source recently said that Maze had later denied any affiliation with SunCrypt.
- In June, Maze ransomware had included Ragnar Locker in its partnership list, along with another enterprise-targeting ransomware LockBit.
Stirring up the threat landscape
Cooperation between the bad guys is a concerning development. On top of innovative tactics, the sharing of tactics, infrastructure, and a centralized data leak platform will enable each one of them to perform more advanced attacks, with potentially much larger impact.