In order to avoid detection by antivirus software, the operators of the RagnarLocker ransomware have begun installing Oracle’s VirtualBox and running virtual machines on the computers they infect before deploying their ransomware.
The UK-based cybersecurity firm Sophos first spotted this new technique and it shows just how far cybercriminals are willing to go to ensure that their ransomware attacks are not detected by a victim’s antivirus or other security software.
According to Sophos, the group behind RagnarLocker has been known to steal data from targeted networks before launching a ransomware attack in order to encourage victims to pay. Last month, they attacked the network of Energias de Portugal (EDP), claimed to have stolen 10TB of sensitive company data and demanded a ransom of $11m while threatening to release the data if the ransom was not paid.
In past attacks, the RagnarLocker group has used exploits of managed service providers (MSPs) or attacks on Windows Remote Desktop Protocol (RDP) connections to establish a foothold on targeted networks. After gaining admin-level access, the group uses native Windows administrative tools such as Powershell and Windows Group Policy Objects (GPOs) to move laterally across a network to launch attacks on other Windows clients and servers.
Deploying virtual machines
In its latest attack, the RagnarLocker group opted not run its ransomware directly on computers they wanted to encrypt and instead chose to download and install Oracle VirtualBox to run virtual machines. These virtual machines are then configured to give the attackers full access to all local and shared drives which allows the virtual machine to access files stored outside of its own storage.
The virtual machines are then booted up running a stripped-down version of Windows XP SP3 called MicroXP v0.82. The attackers then run their ransomware inside of the virtual machine and this makes it impossible for antivirus software to detect.
Instead of seeing an unknown program making changes to files stored on a device and in shared drives, to the antivirus software all of these changes appear to have originated from the legitimate VirtualBox app so users are not notified.
Sophos says that this is the first time it has seen a ransomware group abuse virtual machines during an attack but now that cybercriminals know this new technique works, expect to see others try to implement it in the future.