The maze ransomware or “chacha ransomware” is a type of ransomware attack by which the attackers attack the host and encrypts the files and will decrypt the files only after the reception of a ransom. The only difference in maze is, the encrypted files will not be kept in host anymore, & it will be transferred to the attacker’s machine. In addition to that, if the ransom is not given, the information of the encrypted files will be leaked to the Internet.
Sophos, a British security software and hardware company spotted two failed Maze ransomware attack while performing a normal Incident response for one of their clients which were blocked by Sophos’ Intercept X feature. Of the two, the attacker attempted to launch the attack using scheduled tasks named ‘Windows Update Security,’ or ‘Windows Update Security Patches,’ or ‘Google Chrome Security Update’.
But the third one which Sophos encountered was different from the first two. This time, maze ransomware adapted Ragnar Locker’s attacking technique by which with the help of a Virtual machine, the attacker dodges its detection. Here, the maze deployed an MSI file which installed a virtual box along with a customized windows 7 in it. So, once the VM was started, maze executables are prepared for the host as soon as a startup_vrun.bat batch file is executed. When the host machine was restarted, the files started to encrypt. As the encryption was done in host’s mounted devices by the VM, security software could not detect the behavior and stop it.
Long back when the Ragnar Locker’s attack was struck, they used a VM with a customized Windows XP to launch the attack. But now , maze Ransomware used Windows 7 which is an expensive method to launch an attack compared to Ragnar lockers’. From this we can understand how attackers also moulds themselves and adapt to new techniques to find new ways to launch an attack.
