Cyberattackers using ransomware called Maze tried to execute a $15-million ransomware attack in three different ways, according to an analysis by cybersecurity firm Sophos.
Sophos in its ‘Maze Attackers Adopt Ragnar Locker Virtual Machine Technique’, report detailed how attackers “tried three different ways to execute Maze ransomware during a single attack while demanding a $15-million ransom. “
“Maze is one of the most notorious ransomware families, active since 2019 when it evolved from ChaCha ransomware, and it was among the first to combine data encryption with information theft,” explained Sophos.
Maze operators attempted to use virtual machines to spread the ransomware during its third attempt. This technique has been pioneered by a threat actor called Ragnar Locker.
According to the firm’s analysis, attackers were within the targeted network at least six days prior to their first attempt to launch the ransomware payload.
“During this time, the attackers explored the network, ran legitimate third-party tools, established connections, and exfiltrated data to a cloud storage service to prepare for the release of the ransomware component,” Sophos said.
After its first attempt at a ransomware attack, the attackers demanded a $15-million ransom from the target of the attack who did not pay the ransom. The next two attacks were blocked by the security firm.
“The attack chain uncovered by Sophos threat responders highlights the agility of human adversaries and their ability to quickly substitute and reconfigure tools and return to the ring for another round,” said Peter Mackenzie, incident response manager, Sophos. “The use of a noisy Ragnar Locker virtual machine technique, with its big foot-print and CPU usage, could reflect a growing frustration on the part of the attackers after their first two attempts to encrypt data failed.”
Sophos further advised IT teams to update its systems and move it on the cloud as well as apply layered security systems to prevent such attacks. Other measures include using “anti-ransomware technology, educating employees on what to look out for, and setting up or engaging a human threat hunting service to spot clues an active attack is underway.”
“Every organisation is a target, and any spam or phishing email, exposed RDP port, vulnerable exploitable gateway device or stolen remote access credentials provides enough of an entry point for adversaries to gain a foothold,” said Mackenzie.