The gang responsible for the Maze ransomware family conducted an attack in which they distributed their malware payload inside of a virtual machine (VM).
The attackers packaged the ransomware payload inside of a Windows .msi installer file that was more than 700MB in size and distributed it onto the VMâs virtual hard drive.
An investigation into the attack revealed that the malicious actors had been present on the targeted organizationâs network for at least six days prior to distributing their ransomware payload. During that period, they had built lists of internal IP addresses, used one of the organizationâs domain controller servers and exfiltrated information to data leak site
This dwell time could explain the existence of certain configurations of the Maze-delivered VM. As quoted by Sophosâ MTR in its research:
The virtual machine was, apparently, configured in advance by someone who knew something about the victimâs network, because its configuration file (âmicro.xmlâ) maps two drive letters that are used as shared network drives in this particular organization, presumably so it can encrypt the files on those shares as well as on the local machine. It also creates a folder in C:\SDRSMLINK\ and shares this folder with the rest of the network.
The campaign described above wasnât the first instance in which attackers have delivered ransomware inside a virtual machine. Sophosâ MTR spotted the Ragner locker crypto-malware family pull the same trick.
The virtual machine in that attack ran Windows XP as opposed to the Windows 7 instance on the VM containing Maze. Furthermore, the latter VM was larger in size in order to support additional functionality.
Backup ! Backup ! Backup ! Not only required … Hygienic cyber policy required.
