Maze Ransomware Adopts Ragnar Locker Virtual-Machine Approach

2020-09-18 16:29

The operators of the Maze ransomware have added a fresh trick to their bag of badness: Distributing ransomware payloads via virtual machines.

"In an earlier attack, Ragnar Locker also deployed a virtual machine in an attempt to bypass protection measures," Sophos researchers explained.

In the Maze ransomware incident, the attack payload was a 733 MB installer with a 1.9 GB Windows 7 virtual image inside - concealing a 494 KB ransomware executable.

"Using a virtual Windows 7 machine instead of XP significantly increases the size of the virtual disk, but also adds some new functionality that wasn't available in the Ragnar Locker version," according to the Sophos writeup.

Exe and a file just named payload, which is the actual Maze DLL payload. "The preload.bat file modifies the computer name of the virtual machine, generating a series of random numbers to use as the name, and joins the virtual machine to the network domain of the victim organization's network using a WMI command-line function," explained Sophos analysts.

News URL

https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/

#ransomware #virtual