# Maze ransomware now encrypts via virtual machines to evade detection **[bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/](https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) September 17, 2020 02:24 PM 6 The Maze ransomware operators have adopted a tactic previously used by the Ragnar Locker gang; to encrypt a computer from within a virtual machine. In May, we [previously reported that Ragnar Locker was seen encrypting files through](https://www.bleepingcomputer.com/news/security/ransomware-encrypts-from-virtual-machines-to-evade-antivirus/) VirtualBox Windows XP virtual machines to bypass security software on the host. The virtual machine would mount a host's drives as remote shares and then run the ransomware in the virtual machine to encrypt the share's files. As the virtual machine is not running any security software and is mounting the host's drives, the host's security software could not detect the malware and block it. ## Maze now uses virtual machines to encrypt computers ----- [While performing an incident response for one of their customers, Sophos discovered Maze](https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/) had attempted to deploy their ransomware twice but were blocked by Sophos' Intercept X feature. For the first two attempts, the Maze attacker attempted to launch various ransomware executables using scheduled tasks named 'Windows Update Security,' or 'Windows Update Security Patches,' or 'Google Chrome Security Update.' After the two failed attacks, Sophos' Peter Mackenzie told BleepingComputer that the Maze threat actors tried a tactic previously used by the Ragnar Locker ransomware. In their third attack, Maze deployed an MSI file that installed the VirtualBox VM software on the server along with a customized Windows 7 virtual machine. Once the virtual machine was started, like the previous Ragnar Locker attacks, a batch file called startup_vrun.bat batch file would be executed that preps the machine with the Maze executables. **Batch file to launch Maze ransomware on VM** The machine is then shut down, and once restarted again, will launch vrun.exe to encrypt the host's files. ----- As the virtual machine is performing the encryption on the host s mounted drives, security software could not detect the behavior and stop it. The SophosLabs researchers note that this is an expensive attack method in terms of disk size compared to Ragnar Locker's previous attacks. As Ragnar Locker's VM attack utilized Windows XP, the total footprint was only 404 MB in size. As Maze used Windows 7, the footprint was much larger at a total of 2.6 GB. This attack illustrates how ransomware operations monitor the tactics of their competitors and adopt them as necessary. [It should also be noted that Ragnar Locker is part of the 'Maze Cartel,' so it is possible that](https://www.bleepingcomputer.com/news/security/maze-ransomware-adds-ragnar-locker-to-its-extortion-cartel/) Ragnar offered help to Maze in this attack method. ### Related Articles: [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [Hive ransomware ports its Linux VMware ESXi encryptor to Rust](https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [SpiceJet airline passengers stranded after ransomware attack](https://www.bleepingcomputer.com/news/security/spicejet-airline-passengers-stranded-after-ransomware-attack/) [Maze](https://www.bleepingcomputer.com/tag/maze/) [Ragnar Locker](https://www.bleepingcomputer.com/tag/ragnar-locker/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Virtual Machine](https://www.bleepingcomputer.com/tag/virtual-machine/) [VirtualBox](https://www.bleepingcomputer.com/tag/virtualbox/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/ransomware-attack-at-german-hospital-leads-to-death-of-patient/) [Next Article](https://www.bleepingcomputer.com/news/google/google-chromes-new-feature-will-automatically-group-your-tabs/) ### Comments ----- [zakish7 - 1 year ago](https://www.bleepingcomputer.com/forums/u/1178515/zakish7/) This wouldn't work if sharing was disabled in VM's settings right? [qwertyanon - 1 year ago](https://www.bleepingcomputer.com/forums/u/1178528/qwertyanon/) probably not, we should ask them to disable it when they launch the vm. :p [Lawrence Abrams - 1 year ago](https://www.bleepingcomputer.com/author/lawrence-abrams/) It's a customized VM installation. They control the settings. ----- [zakish7 - 1 year ago](https://www.bleepingcomputer.com/forums/u/1178515/zakish7/) Appreciate the reply -- my bad, didn't notice the payload was an entire VM :) [testa - 1 year ago](https://www.bleepingcomputer.com/forums/u/1051973/testa/) So the way to protect from VM attacks is to disable virtualization in BIOS right if you don't use VM? Maybe anti-virus could be implemented to read contents inside VM disks. 7-zip can read them and extract just fine unless encrypted [jasonanwe - 1 year ago](https://www.bleepingcomputer.com/forums/u/1178627/jasonanwe/) Disable Windows (MSI) Installer via GPO (i.e., Enable 'Turn off Windows Installer'). Then only those with admin rights can install (and no one should be primarily working from an ID with admin rights). Guide: [https://www.top-password.com/blog/turn-off-windows-installer-to-block-msi-package/](https://www.top-password.com/blog/turn-off-windows-installer-to-block-msi-package/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) ----- You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----