- As SophosLabs explains in the new report, the Maze crew was one of the first ransomware gangs out there to turn to a combination of blackmail and extortion, demanding that victims pay what is effectively hush money as well as a kidnap ransom.
- Sophos has published a report, “ Maze Attackers Adopt Ragnar Locker Virtual Machine Technique,” which shows how attackers tried three different ways to execute Maze ransomware during a single attack while demanding a $15 million ransom.
- Mar 15, 2021 Sophos first detected and blocked a DearCry attack on a customer’s network in Austria on March 13. A few days earlier, on March 11, the same Exchange server was hit with a webshell, which was also blocked. The anti-ransomware team within SophosLabs evaluated two samples of DearCry for this analysis.
OXFORD, U.K., Sept. 17, 2020 (GLOBE NEWSWIRE) -- Sophos, a global leader in next-generation cybersecurity, today published a report, “Maze Attackers Adopt Ragnar Locker Virtual Machine Technique,” which shows how attackers tried three different ways to execute Maze ransomware during a single attack while demanding a $15 million ransom. On the third try, the Maze operators attempted to leverage virtual machines (VM) to spread the ransomware, a technique pioneered by Ragnar Locker, as reported by Sophos in May 2020. Maze is one of the most notorious ransomware families, active since 2019 when it evolved from ChaCha ransomware, and it was among the first to combine data encryption with information theft.
The data leak threat has become a signature of the REvil and Maze ransomware gangs; the Maze group has gone as far as to publicly publish chunks of data from victims who fail to pay by the deadline, taking down the dumps when they are finally paid. Picking through LockBit’s code.
How Maze’s Attack Attempts Unfolded
The investigation revealed that the attackers had penetrated the network at least six days before their first attempt to launch the ransomware payload. During this time, the attackers explored the network, ran legitimate third party tools, established connections, and exfiltrated data to a cloud storage service to prepare for the release of the ransomware component.
Upon launching the first ransomware attack, the operators demanded a $15 million ransom from the target of the attack. The target did not pay the ransom. When the attackers realized the first attack had failed, they launched a second, slightly different attempt. This was intercepted by security tools and the Sophos Managed Threat Response (MTR) team that was handling the incident response efforts. For the third attempt, the attackers used a reconfigured version of Ragnar Locker’s VM technique, this time running Windows 7 instead of Ragnar Locker’s Windows XP VM, and targeted just one file server. The attack and the Ragnar Locker technique were immediately recognized and blocked.
“The attack chain uncovered by Sophos threat responders highlights the agility of human adversaries and their ability to quickly substitute and reconfigure tools and return to the ring for another round,” said Peter Mackenzie, incident response manager, Sophos. “The use of a noisy Ragnar Locker virtual machine technique, with its big foot-print and CPU usage, could reflect a growing frustration on the part of the attackers after their first two attempts to encrypt data failed.”
Steps to Prevent Cyberattacks
Sophos recommends that to prevent cyberattacks, particularly ransomware, IT security teams need to reduce the attack surface by updating to cloud-based, layered security systems, including anti-ransomware technology, educate employees on what to look out for, and consider setting up or engaging a human threat hunting service to spot clues an active attack is underway. Video converter.
“Every organization is a target, and any spam or phishing email, exposed RDP port, vulnerable exploitable gateway device or stolen remote access credentials provides enough of an entry point for adversaries to gain a foothold,” said Mackenzie.
For additional information and the full article, please reference SophosLabs Uncut.
Additional Resources
- To help stop ransomware attacks, read the five early indicators an attacker is present
- For more about Maze, read Maze ransomware, extorting victims for one year and counting
- Learn about Ragnar Locker and the use of virtual machines at Ragnar Locker ransomware deploys virtual machine to dodge security
- Read about additional ransomware and security news on Naked Security
- Learn about the threat landscape and trends in 2020 in the SophosLabs Threat Report
- Connect with Sophos on Twitter, LinkedIn, Facebook, Spiceworks, and YouTube
About Sophos
As a worldwide leader in next-generation cybersecurity, Sophos protects more than 400,000 organizations of all sizes in more than 150 countries from today’s most advanced cyber threats. Powered by SophosLabs – a global threat intelligence and data science team – Sophos’ cloud-native and AI-powered solutions secure endpoints (laptops, servers and mobile devices) and networks against evolving cyberattack techniques, including ransomware, malware, exploits, data exfiltration, active-adversary breaches, phishing, and more. Sophos Central, a cloud-native management platform, integrates Sophos’ entire portfolio of next-generation products, including the Intercept X endpoint solution and the XG next-generation firewall, into a single “synchronized security” system accessible through a set of APIs. Sophos has been driving a transition to next-generation cybersecurity, leveraging advanced capabilities in cloud, machine learning, APIs, automation, managed threat response, and more, to deliver enterprise-grade protection to any size organization. Sophos sells its products and services exclusively through a global channel of more than 53,000 partners and managed service providers (MSPs). Sophos also makes its innovative commercial technologies available to consumers via Sophos Home. The company is headquartered in Oxford, U.K. More information is available at www.sophos.com.
Maze Ransomware Sophos Software
Press Contact:
Hanah Johnson
sophos@marchcomms.com Marathi movies torrent sites.
Maze Ransomware Sophos Free
It’s been a year since the Maze ransomware gang began its rise to notoriety. Previously identified as “ChaCha ransomware” (a name taken from stream cipher used by the malware to encrypt files), the Maze “brand” was first affixed to the ransomware in May, 2019.
Initial samples of Maze were tied to fake websites loaded with exploit kits. Since then, Maze has been delivered by multiple means: exploit kits, spam emails, and—as the group’s operations have become more targeted—Remote Desktop Protocol attacks and other network exploitation.
But aside from the gang’s adjustments in initial compromise approaches, the Maze group has risen in prominence largely because of its extortion tactics: following through on threats of public exposure of victims’ data in public “dumps” of victims’ stolen data, and offering victim data on cybercrime forums if no payment is made.
Sophos Ransomware Protection
While Maze did not invent the>SHA256filename4acba1590552c9b2b82f5a786cedc8a12ca457e355c94f666efef99073827f89love.dll20ea5a9b5b2e47aa191132ac12c1d6dea6b58d7a0467ea53d48e96f8a79c6acdargfdg, arsgt35yy, maze.exe3c2be967cbaaafecf8256167ba32d74435c621e566beb06a1ead9d33d7e62d64Attack!.rar7a84d10ac55622cdac25f52170459ae5b8181ee3fc345eb1b1dcbd958b344aa6Ave Kim, Emperor.exe