Security News > 2020 > September > A real-life Maze ransomware attack – “If at first you don’t succeed…”

The crooks are usually already inside your network by the time they unleash the ransomware part of their attack, and they usually spend the early part of their attack mapping out your network and acquiring similar access powers to your own sysadmins.

The report is the result of an investigation by indefatigable Sophos Managed Threat Response expert Peter Mackenzie and his colleagues, who were called in to deal with a network attack by the infamous Maze ransomware gang.

After two failed attempts to launch their ransomware files directly, the crooks resorted to a technique that we first wrote about when the the Ragnar Locker crooks used it: setting up a virtual machine, and running the malware in that.

Ransomware crooks have realised that introducing a VM of their own to run their file scrambling malware gives them a chance to run it in a software environment of their choice - the Ragnar Locker gang decided to use Windows XP, presumably because it's compact and doesn't do any pesky licensing checks.

In this latest Maze attack, the crooks delivered their own VM containing Windows 7 and all the operating system components needed to launch a full-blown virtual Windows desktop that they knew was compatible with their malware - a whopping 700MB disk image, all to run just 2.5MB of malware code.

News URL

https://nakedsecurity.sophos.com/2020/09/18/a-real-life-maze-ransomware-attack-if-at-first-you-dont-succeed/