This ransomware has borrowed a sneaky trick for delivering malware to its victims

Ransomware group has borrowed a successful technique from another gang that makes it harder to spot when malware is being spread.
Written by Danny Palmer, Senior Writer

One of the most dangerous cyber-criminal ransomware operations around today has deployed a new tactic to help attacks stay undetected until it's too late, one most likely borrowed from another ransomware group.

What makes Maze so dangerous is that as well as demanding a six-figure – or higher – sum of bitcoin in exchange for the decryption key, they threaten to publish stolen internal data if their extortion demands aren't met.

The group is already skilled at infiltrating the networks of organisations but now they've adopted a new tactic that makes it even harder for victims to detect that there are outsiders on the network by using virtual machines to distribute the ransomware payload.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

A similar tactic has previously been used by the Ragnar Locker ransomware group and it appears that Maze has taken inspiration from them as an additional means of delivering ransomware.

Cybersecurity researchers at Sophos uncovered the similarities between Maze's new tactics and the techniques pioneered by Ragnar Locker when investigating a Maze ransomware attack in July.

Using access to a file server, the hackers were able to deliver components required for the attack inside a virtual machine.

The way the virtual machine was programmed suggests that the attackers already had a strong hold on the victim's network at this time – but by deploying ransomware via a virtual machine, it helped keep the attack under the radar until the encryption was triggered and the network could be held to ransom.

"The virtual machine gives the attackers an unprotected machine to freely run the ransomware without fear of detection," Peter McKenzie, incident response manager at Sophos told ZDNet.

Maze is already a highly successful ransomware group, but the way it has adapted its tactics in this way shows that those behind it are continually attempting to find new ways to help make attacks even more successful – and, therefore, make more money from ransoms.

"Much like many of the other 'human-led' ransomware gangs that use a combination of advanced hacking tools and human 'hands-on' techniques, they are able to continue trying different techniques until they succeed or the targeted organization identifies the seriousness of the threat and takes action to remediate it," said McKenzie.

"Unfortunately many organizations have never had to deal with threats of this nature and are under-prepared to identify a human attacker on their network," he added.

Organisations can help protect against attacks being deployed in this way by blocking the use of unnecessary applications on machines, so attackers aren't able to exploit them.

Other steps organisations can take to avoid falling victim to a ransomware attack include ensuring that security patches are applied as soon as possible to prevent hackers from exploiting known vulnerabilities to gain a foothold inside the network in the first place, while organisations should also apply multi-factor authentication.

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened

It's also important that organisations understand their own network and know what's usual behaviour – and thus what's unusual behaviour – so cybersecurity personnel can more easily spot suspected malicious activity.

"Protection against human-led ransomware attacks requires not just the most advanced security software but also experienced threat hunters and incident responders that can spot the signs of an intruder on their network and take the appropriate actions to contain and neutralize the threat," said McKenzie.


Editorial standards