{
	"id": "17eec032-231f-4e26-baf8-606705d21427",
	"created_at": "2026-04-06T00:22:24.441272Z",
	"updated_at": "2026-04-10T03:21:39.431756Z",
	"deleted_at": null,
	"sha1_hash": "c63c14e2625494b13d9ddc3a30b0d923767982e7",
	"title": "Maze ransomware now encrypts via virtual machines to evade detection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1282040,
	"plain_text": "Maze ransomware now encrypts via virtual machines to evade detection\r\nBy Lawrence Abrams\r\nPublished: 2020-09-17 · Archived: 2026-04-05 16:41:17 UTC\r\nThe Maze ransomware operators have adopted a tactic previously used by the Ragnar Locker gang; to encrypt a computer\r\nfrom within a virtual machine.\r\nIn May, we previously reported that Ragnar Locker was seen encrypting files through VirtualBox Windows XP virtual\r\nmachines to bypass security software on the host.\r\nThe virtual machine would mount a host's drives as remote shares and then run the ransomware in the virtual machine to\r\nencrypt the share's files.\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nAs the virtual machine is not running any security software and is mounting the host's drives, the host's security software\r\ncould not detect the malware and block it.\r\nMaze now uses virtual machines to encrypt computers\r\nWhile performing an incident response for one of their customers, Sophos discovered Maze had attempted to deploy their\r\nransomware twice but were blocked by Sophos' Intercept X feature.\r\nFor the first two attempts, the Maze attacker attempted to launch various ransomware executables using scheduled tasks\r\nnamed 'Windows Update Security,' or 'Windows Update Security Patches,' or 'Google Chrome Security Update.'\r\nAfter the two failed attacks, Sophos' Peter Mackenzie told BleepingComputer that the Maze threat actors tried a tactic\r\npreviously used by the Ragnar Locker ransomware.\r\nIn their third attack, Maze deployed an MSI file that installed the VirtualBox VM software on the server along with a\r\ncustomized Windows 7 virtual machine.\r\nOnce the virtual machine was started, like the previous Ragnar Locker attacks, a batch file called startup_vrun.bat batch file\r\nwould be executed that preps the machine with the Maze executables.\r\nBatch file to launch Maze ransomware on VM\r\nThe machine is then shut down, and once restarted again, will launch vrun.exe to encrypt the host's files.\r\nAs the virtual machine is performing the encryption on the host's mounted drives, security software could not detect the\r\nbehavior and stop it.\r\nThe SophosLabs researchers note that this is an expensive attack method in terms of disk size compared to Ragnar Locker's\r\nprevious attacks.\r\nAs Ragnar Locker's VM attack utilized Windows XP, the total footprint was only 404 MB in size. As Maze used Windows 7,\r\nthe footprint was much larger at a total of 2.6 GB.\r\nThis attack illustrates how ransomware operations monitor the tactics of their competitors and adopt them as necessary.\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/\r\nPage 3 of 4\n\nIt should also be noted that Ragnar Locker is part of the 'Maze Cartel,' so it is possible that Ragnar offered help to Maze in\r\nthis attack method.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/\r\nhttps://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/"
	],
	"report_names": [
		"maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection"
	],
	"threat_actors": [],
	"ts_created_at": 1775434944,
	"ts_updated_at": 1775791299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c63c14e2625494b13d9ddc3a30b0d923767982e7.pdf",
		"text": "https://archive.orkl.eu/c63c14e2625494b13d9ddc3a30b0d923767982e7.txt",
		"img": "https://archive.orkl.eu/c63c14e2625494b13d9ddc3a30b0d923767982e7.jpg"
	}
}