The Maze threat actors have adopted a tactic previously used by the Ragnar Locker gang; to encrypt a computer from within a virtual machine. As the virtual machine is performing the encryption on the host’s drives, security software could not detect the malware and stop it. As Maze used Windows 7, the footprint was much larger at a total of 2.6 GB. Researchers note that this is an expensive attack method in terms of disk size compared to the previous attacks. It should also be noted that Ragnar. Locker is part of the ‘Maze Cartel,’ so it is possible that Ragnar offered help to Maze.
Source: https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/