The gang chargeable for the Maze ransomware household performed an assault by which they distributed their malware payload within a digital machine (VM).
Sophos’ Managed Menace Response (MTR) noticed the method in motion whereas investigating an assault that occurred again in July 2020.
In that incident, the attackers packaged the ransomware payload within a Home windows .msi installer file that was greater than 700MB in measurement and distributed it onto the VM’s digital laborious drive.
A glance contained in the Maze-delivered VM, with the 495KB ransomware payload clearly seen. (Supply: Sophos MTR)An investigation into the assault revealed that the malicious actors had been current on the focused group’s community for at the least six days previous to distributing their ransomware payload. Throughout that interval, that they had constructed lists of inner IP addresses, used one of many group’s area controller servers and exfiltrated info to their information leaks web site.
This dwell time may clarify the existence of sure configurations of the Maze-delivered VM. As quoted by Sophos’ MTR in its analysis:
The digital machine was, apparently, configured upfront by somebody who knew one thing in regards to the sufferer’s community, as a result of its configuration file (“micro.xml”) maps two drive letters which might be used as shared community drives on this specific group, presumably so it may well encrypt the information on these shares in addition to on the native machine. It additionally creates a folder in C:SDRSMLINK and shares this folder with the remainder of the community.
The marketing campaign described above wasn’t the primary occasion by which attackers have delivered ransomware inside a digital machine. Again in Could 2020, Sophos’ MTR noticed the Ragnar Locker crypto-malware household pull the identical trick.
The digital machine in that assault ran Home windows XP versus the Home windows 7 occasion on the VM containing Maze. Moreover, the latter VM was bigger in measurement to be able to help extra performance.
This method highlights the necessity for organizations to defend themselves towards a ransomware an infection. They will achieve this by working to forestall a crypto-malware assault within the first place.