Maze Ransomware Hides Itself in a Virtual Machine Environment

CryptoMode CyrusOne Ransomware Maze No More Ransom

When ransomware evolves, a very problematic scenario ensues. Maze, a well-known malware strain, is now borrowing elements from Ragnar Locker. An interesting development, although one that will cause many problems moving forward. 

Maze Gets a big Update

It is interesting to see how the developers of Maze ransomware are adding new features. Not only is the ransomware problematic in its own regard, but it can now be distributed through virtual machines. Doing so offers many benefits for criminals, including completely bypassing a remote target’s security defenses. 

Sophos Managed Threat Response researchers are worried about this new development. They note how the new version of Maze is actively distributed through a VirtualBox virtual disk image. Delivering the VDI file occurs through a Windows MSI file, which hardly ever looks suspicious to most people. 

Making matters worse is how the attackers bundle an outdated version of VirtualBox’s hypervisor in the MSI files. This ensures the virtual machine software can be installed without arousing suspicion. Inside this virtual environment, the Maze ransomware can wreak all kinds of havoc.

Moreover, this virtual machine instance will be considered “trusted” by Windows. It will not be checked for any malicious activity, allowing the ransomware to remain hidden indefinitely. On top of that, most security solutions cannot check virtual environments. A very problematic situation that will prove increasingly difficult to address. 

Borrowing Elements From Ragnar Locker

This strategy by the Maze developers is not new. It was first introduced by Ragnar Locker ransomware. It deploys a virtual machine to bypass computer security measures as well. However, Ragnar Locker is deployed through an Oracle VirtualBox Windows XP VM. Maze seems to be less specific about how it can be deployed in a virtual environment. 

More specifically, the analyzed sample comes in the form of a Windows 8 virtual machine. This does increase the overall size of the virtual disk image, but also allows the criminals to pack more features. Adding more ransomware of malware strains to the machine is just one option to explore. 

It will be interesting to see what this means for the future of ransomware deployment. If using virtual machines becomes the new normal, the number of infections is likely to grow exponentially. For now, it seems as if major corporations will be the target of choice. Obtaining money from those firms will always be challenging, regardless of the payload. 


CryptoMode produces high quality content for cryptocurrency companies. We have provided brand exposure for dozens of companies to date, and you can be one of them. All of our clients appreciate our value/pricing ratio. Contact us if you have any questions: [email protected] None of the information on this website is investment or financial advice. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website by its authors or clients. No reviews should be taken at face value, always conduct your research before making financial commitments.