Euro Security Watch with Mathew J. Schwartz

Business Continuity Management / Disaster Recovery , Encryption & Key Management , Fraud Management & Cybercrime

Maze Ransomware Attack Borrows RagnarLocker Hacking Move

Ransomware Gang Cross-Pollination Continues as LockBit Launches Its Own Leaks Site
Maze Ransomware Attack Borrows RagnarLocker Hacking Move
Maze ransom note (Source: Sophos)

Stop me if you think you've heard this one before: Some ransomware attackers are hiding attack code in virtual machines or creating new leaking sites to pressure victims into paying.

See Also: IDC Whitepaper I Business Value of Dell VxRail HCI

Lately with ransomware, it's déjà vu all over again as gangs keep borrowing each other's latest innovations.

For example, security firm Sophos says it's been investigating a July attack involving the Maze ransomware gang and virtual machines. Attackers "distributed the file-encrypting payload of the ransomware on the VM's virtual hard drive," Sophos says.

If this sounds familiar, it might be because it follows Sophos reporting in May that it had witnessed a different gang - RagnarLocker - using such tactics. In that case, RagnarLocker used a 122 MB "OracleVA.msi" installer to distribute a 282 MB "micro.vdi" VirtualBox virtual disk image - containing a Windows XP virtual machine - "all to conceal a 49 KB ransomware executable," Sophos said.

In the more recent case, Maze started off with a simpler attack. After gaining access to the victim's network, attackers used batch files to help distribute ransomware payloads - named enc.exe, enc6.exe, and network.dll - onto network-connected systems and then used scheduled tasks, named to resemble Windows Update routines, to set them to execute, Sophos says.

When that failed, attackers then disabled the real-time monitoring feature built into Windows Defender and attempted to use the same tactics as before to execute a malicious payload named license.exe.

When that too failed, Maze's next move was to take a play from RagnarLocker's playbook, using a 733 MB "pikujuwusewa.msi" installer file to distribute a 1.9 GB "micro.vdi" Windows 7 virtual disk image that concealed a 494 KB payload file.

"The attackers also bundled a stripped-down, 11-year-old copy of the VirtualBox hypervisor inside the .msi file, which runs the VM as a 'headless' device, with no user-facing interface," Sophos researchers say in a report about the attack.

Thankfully for the victim, the third attempt also failed, although it appears that attackers were able to steal some data, Sophos says.

$15 Million Ransom Demand (Not Paid)

The security firm has declined to name the target but says the organization was hit with a $15 million ransom demand, which it did not pay. The attackers apparently hacked into the victim's network at least seven days before first attempting to execute crypto-locking malware.

"The investigation also turned up several installer scripts that revealed the attackers' tactics and found that the attackers had spent days preparing to launch the ransomware by building lists of IP addresses inside the target's network, using one of the target's domain controller servers, and exfiltrating data to cloud storage provider," Sophos says.

Delays between hackers gaining access to a network and unleashing malware are common, especially because the hackers may be conducting reconnaissance to identify valuable data, steal that data and then leave the ransomware as an attack-monetization coup de grâce.

"Groups activating acting weeks or months after compromise is not new behavior - nor is it unusual," Brett Callow, a threat analyst at security firm Emsisoft, has told me.

LockBit Launches Leaks Site

Separately, the LockBit ransomware-as-a-service operation, which launched in the second quarter of this year, on Monday unveiled its own data-leaking site - I'm not going to link to it - that lists two victims: a Japanese servos and industrial robot manufacturer and a Croatian parcel-delivery service. For both firms, LockBit has linked to archives it uploaded to, which it says have samples of the data it stole from each victim.

The banner of LockBit's dedicated data-leaking site

By launching a dedicated leaks site, LockBit joins another dozen gangs that have been using this tactic to pressure more victims to pay a ransom. Maze first launched a data leaks site last November and others soon followed its example. Security experts say this tactic is to blame for a rise in the number of victims paying ransoms in recent months - as well as bigger ransoms paid (see: Ransomware Payday: Average Payments Jump to $178,000).

Encryption Challenges

Fraud threat intelligence firm Gemini Advisory notes that LockBit appears to be a Russian language RaaS operation, and in January, it began using Russian cybercrime forums to attempt to recruit new affiliates.

LockBit was one of the ransomware operations highlighted by Microsoft in an April report that charted some ransomware-wielding attackers' use of more sophisticated hacking techniques. Microsoft said it had traced attackers who wielded both LockBit and CrackMapExec, a publicly available penetration testing tool, to move laterally across compromised networks.

The Maze site on June 2 advertised a LockBit attack against architectural firm Smith Group and hosted leaked files. (Source: Kela)

Whatever their network-penetration skills, one frequent challenge for ransomware-wielding gangs involves encryption. Indeed, many ransomware gangs have a reputation for using code that fails to encrypt all files correctly, so that when the originals get deleted, they can never be restored. Others have a reputation for writing shoddy restoration software that often shreds files.

LockBit also appears to have had encryption challenges, based on Russian-language cybercrime forum chatter. Gemini Advisory says that a user named "Wexford," who claims to have been working as a LockBit affiliate for four months, said LockBit victims appeared to be extremely unwilling to pay - and so the group had received no ransom payments. Wexford said victims appeared to be having difficulties in decrypting files.

Wexford reported that "LockBit indicated that there was a bug in their system and that since Aug. 23, network files were not getting properly encrypted," Gemini Advisory says, based on cybercrime forum chatter that I was also able to verify with Kela.

"After this, Wexford conducted an analysis of their previous 'jobs' and noticed that the network files were not getting encrypted from the get-go; instead only local files were encrypted. Furthermore, Wexford pointed out that the backups were not encrypted either," Gemini Advisory says. Because the files were not encrypted in the first place, decryption keys were failing, since there was nothing to decrypt. "Wexford alleged that as victim companies discover this, LockBit would lose its negotiating leverage, and the companies could restore information from their network files or backups."

'Cartel' of Self-Promotion

Previously, LockBit outsourced its data-leaking efforts to Maze.

On June 2, under the banner of the "Maze Cartel," the Maze gang began advertising a LockBit attack against architectural firm Smith Group and hosted leaked files.

Despite the word "cartel" having sinister overtones, Victoria Kivilevich, a threat intelligence analyst at Israeli cybersecurity intelligence firm Kela, wrote in a blog post last month that the cross-posting efforts appeared to be little more than self-promotion.

"Based on the fact that these cooperation efforts were spotted over a month ago and we did not see any new postings, we can assume that this 'cartel' was just another marketing effort for ransomware gangs," she said. "It means that threat actors behind the ransomware decided to jointly promote the leaks in order to intimidate victims, but it is hardly possible that they collaborated in terms of further monetizing the stolen data."

Maze, meanwhile, hasn't been standing still since debuting the first-ever ransomware gang data-leaking site, dubbed "Happy Blog." Bill Siegel, CEO of ransomware incident response firm Coveware, tells me the gang is aggressively recruiting specialists to help it take down bigger targets and bring in larger ransom payments.

The average ransom paid by victims based on thousands of cases investigated by Coveware

The types of specialists being recruited include "people that specialize in the exfiltration of data, people that specialize in the cloud storage and moving around large volumes of stolen data, people that specialize in the negotiations and people who specialize in encryption and decryption," he says.

Ransomware gangs are growing, practicing excessive self-promotion, psychologically shaking down victims in new ways, experiencing encryption problems and also learning from each other's infiltration techniques. So often with ransomware, it's more of the same.

But as Coveware's Siegel tells me: "If you were running a business that had, you know, 80% to 90% profit margins and kept growing every month, would you change?"

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.