Maze Ransomware now Uses Virtual Machines to Evade Endpoint Defenses

The operators of Maze ransomware have adopted a new tactic to evade endpoint security solutions. The gang has been observed encrypting computers from inside virtual machines, a tactic also used by the operators of Ragnar Locker ransomware.

The new tactic was discovered by researchers at Sophos when responding to a ransomware attack on one of their customers. The Maze gang twice attempted to launch ransomware executables but were blocked by the Sophos Intercept X feature. In both cases, the executables were launched using scheduled tasks called Windows Update Security Patches, Google Chrome Security Update, and Windows Update Security.

A third attempt saw an MSI file used to deliver a VDI file that installed VirtualBox VM software on the server, along with a customized Windows 7 VM. The VM ran as a trusted application which helped the attackers conceal the attack. Most security solutions only have visibility into physical drives, not virtual environments, so the ransomware is not detected.

“Since the ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they’re out-of-reach for security software on the physical host machine,” explained Sophos. “The data on disks and drives accessible on the physical machine are attacked by the ‘legitimate’ VboxHeadless.exe process, the VirtualBox virtualization software.”

In the attack, the Maze gang mapped two drive letters which were used as shared network drives to allow files to be encrypted on those shares in addition to the local machine.

This attack method has been used by the Ragnar Locker operators, although in those attacks an Oracle VirtualBox Windows XP virtual machine was used. Sophos notes that Ragnar Locker used Windows XP, so the footprint was considerably smaller, only 404 MB in size. Since the Maze gang have used Windows 7, the footprint was larger – 2.6 GB. The use of Windows 7 gives the attackers the ability to easily insert an alternative ransomware in their builder machine, which was not possible with Ragnar Locker’s approach.

Prior to the deployment of ransomware, the attackers spent around 6 days inside the network preparing for the attack by building lists of IP addresses using domain control servers. They also exfiltrated data prior to the deployment of ransomware to the cloud storage provider Sophos says the ransomware installer was created by someone with detailed knowledge of the target’s network. The Maze gang demanded a ransom payment of $15 million in the latest attack, although the victim did not pay.

It is not unusual for ransomware gangs to copy tactics used by other ransomware operators if those tactics are proving effective. Assistance may have been provided by the Ragnar Locker gang since they are part of the Maze cartel.

While the Maze gang has conducted many successful ransomware attacks so far this year, security solutions are getting better at detecting attacks, so ransomware gangs now need to expend even more effort to bypass protections.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of