When ransomware evolves, a very problematic scenario ensues. Maze, a well-known malware strain, is now borrowing elements from Ragnar Locker. An interesting development, although one that will cause many problems moving forward.
Maze Gets a big Update
It is interesting to see how the developers of Maze ransomware are adding new features. Not only is the ransomware problematic in its own regard, but it can now be distributed through virtual machines. Doing so offers many benefits for criminals, including completely bypassing a remote target’s security defenses.
Sophos Managed Threat Response researchers are worried about this new development. They note how the new version of Maze is actively distributed through a VirtualBox virtual disk image. Delivering the VDI file occurs through a Windows MSI file, which hardly ever looks suspicious to most people.
Making matters worse is how the attackers bundle an outdated version of VirtualBox’s hypervisor in the MSI files. This ensures the virtual machine software can be installed without arousing suspicion. Inside this virtual environment, the Maze ransomware can wreak all kinds of havoc.
Moreover, this virtual machine instance will be considered “trusted” by Windows. It will not be checked for any malicious activity, allowing the ransomware to remain hidden indefinitely. On top of that, most security solutions cannot check virtual environments. A very problematic situation that will prove increasingly difficult to address.
Borrowing Elements From Ragnar Locker
This strategy by the Maze developers is not new. It was first introduced by Ragnar Locker ransomware. It deploys a virtual machine to bypass computer security measures as well. However, Ragnar Locker is deployed through an Oracle VirtualBox Windows XP VM. Maze seems to be less specific about how it can be deployed in a virtual environment.
More specifically, the analyzed sample comes in the form of a Windows 8 virtual machine. This does increase the overall size of the virtual disk image, but also allows the criminals to pack more features. Adding more ransomware of malware strains to the machine is just one option to explore.
It will be interesting to see what this means for the future of ransomware deployment. If using virtual machines becomes the new normal, the number of infections is likely to grow exponentially. For now, it seems as if major corporations will be the target of choice. Obtaining money from those firms will always be challenging, regardless of the payload.