Late last spring the cybercriminals behind the Ragnar Locker ransomware used a virtual machine to evade detection, specifically an Oracle VirtualBox with Window XP inside.

Experts predicted at the time that the evasion technique would likely be adopted by other malware gangs. They were right.

In late September security researchers at Sophos published a report about attackers using the VM technique to attempt to infect computers with the Maze ransomware.

That attack took place in July and involved a full installation of Windows 7, also running inside a VirtualBox.

Use case for this VM-based approach aren’t limited to ransomware. VMs can be used to hide cryptominers and advanced persistent threats, said Juanita Koilpillai, leader of the Cloud Security Alliance’s software-defined perimeter working group and founder and CEO of Waverley Labs, a network security company.

“Data centers are typically not monitoring inside the virtual machines,” she told Data Center Knowledge earlier this year.

In case of the Maze attack discovered by Sophos, the upgrade from Windows XP to Windows 7 made the malware much bulkier. “It was weird,” said Chester Wisniewski, principal research scientist at Sophos.

Ragnar Locker’s attack payload was a 122MB installer with a 282MB virtual image inside. Maze took up nearly 3GB.

“The 15 years of Windows evolution caused a much more bloated size for the virtual machine,” Wisniewski told DCK. “And they also shipped more tools in the package.”

The larger size doesn’t necessarily mean it’s easier to detect.

The way the malware is hidden inside a VM makes it difficult for antivirus tools to detect, and its large size doesn’t necessarily make it easier. “They even joined the virtual machine to the domain, just like a real corporate computer,” he said. “They did their homework before they launched the attack.”

The attackers had the names of all the servers they planned to target and had set up connections to the file shares and credentials, a sign that they had been on the network for a long time, gathering up intelligence.

Attackers using Maze invest this amount of effort because they generally ask for at least a million dollars from their victims. In this particular case, they initially asked for $15 million.

According to Coalition, one of the largest providers of cyber insurance in North America, the Maze ransomware group had the highest ransom demands – six times higher than the average.

Ransomware incidents overall accounted for 41 percent of all cyber insurance claims in the first half of this year, with a 260 percent increase in number of attacks and a 47 percent increase in size of the ransom demands, Coalition reported.

Exiting the Maze

So how was Sophos able to stop the attackers, given Maze’s sophisticated stealth powers?

“We have a lot of other tooling that was able to pick it up on the network,” Wisniewski told us. “We’re beyond a static kind of ransomware, where you can just rely on a single factor.”

The attack was a reminder that data centers need to have multiple layers of protection in place. It also illustrated that a simplistic spot-and-block response may be inadequate.

The organizations you read about in news of high-profile security breaches often make the mistake of thinking that their initial lines of defense have discovered all there is to discover. “They don’t realize that for the criminals, the game has just begun,” Wisniewski said.

“In this case, our antivirus gave us parts and pieces of it. If we had said we blocked it and went home and not followed up, they would have adapted until they had bypassed those technologies. We had humans go looking, and we were able to find the malware,” and add protections and more layers of detection.

The initial round of defensive technologies worked like a tripwire. “When you find the early indicators, the battle is beginning at that point; it hasn’t ended.”

How to Protect Against VM-Based Attacks

The VM technique gives attackers a lot of capability inside a data center environment, said Saryu Nayyar, CEO at Gurucul, a cybersecurity vendor headquartered in El Segundo, California.

Other attackers may leverage the same strategy, she told DCK. “The more often malicious actors succeed using this technique, the more likely it is for others to adopt it for their own attacks.”

To succeed, attackers rely on data center administrators not knowing what VMs should and should not be running in their environment, she said.

Organizations doing “careful monitoring should be able to identify an attack like this,” she said. Behavioral-analytics tools are especially important in these types of attacks, where signature-based defenses might not be enough.

However, security software typically does not monitor activity inside the VMs themselves.

“Data center managers may not be aware of an attack given these circumstances – primarily if the organization regularly uses virtual machines,” said Jamie Hart, cyber threat intelligence analyst at Digital Shadows, a San Francisco-based cybersecurity company.

The first line of defense, she told DCK, is to prevent attackers from installing their VM in the first place. That means sticking to the basic rules of cybersecurity hygiene: patching and upgrading software, conducting anti-phishing training, using multi-factor authentication, using firewalls, limiting privileged access and the number of administrator accounts, and prohibiting remote desktop protocol access over the internet.

If attackers still manage to get in, application controls can prevent executables from running, she said. “And file integrity monitoring allows file changes to be tracked in real-time to identify unauthorized changes quickly.”

Finally, if all else fails, the data center should have an updated and practiced disaster recovery plan as well as continuously updated backups that are kept offline or on separate, secured servers.