Ransomware evolves to hide in virtual machines


By Dylan Bushell-Embling
Wednesday, 27 May, 2020


Ransomware evolves to hide in virtual machines

Sophos researchers have uncovered an advanced new ransomware attack campaign that uses unique methods for staying below the radar of cybersecurity teams.

In a blog post, the security company has detailed a recently detected attack involving the Ragnar Locker ransomware.

During the attack, the ransomware was deployed as a full virtual machine on each targeted device to evade detection.

The ransomware uses an Oracle VirtualBox Windows XP virtual machine and the payload has a 122 MB installer with a 282 MB virtual image within, all designed to conceal a 49 KB ransomware executable.

Because this executable runs inside the virtual guest machine, its processes and activities can run unhindered by security software on the physical host machine.

But by mounting drives on the host machine within the virtual machine, the ransomware is capable of attacking the data on these drives unimpeded.

Sophos’s Director of Engineering for Threat Mitigation, Mark Loman, said this marks the first time Sophos has seen this kind of tactic used for a ransomware attack.

“In the last few months, we’ve seen ransomware evolve in several ways. But the Ragnar Locker adversaries are taking ransomware to a new level and thinking outside of the box,” he said.

“They are deploying a well-known trusted hypervisor to hundreds of endpoints simultaneously, together with a pre-installed and pre-configured virtual disk image guaranteed to run their ransomware.”

Loman said the virtual machine used in the attack is tailored per endpoint. “[This allows it to] encrypt the local disks and mapped network drives on the physical machine, from within the virtual plane and out of the detection realm of most endpoint protection products,” he said.

Image credit: ©stock.adobe.com/au/monsitj

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.

Related Articles

Measuring inefficiency

With a view to improving my 'leanness' and stop myself working so many extra hours, I...

Cybersecurity advice in the wake of Ukraine

In light of the current situation in Ukraine, the ACSC is urging all Australian organisations to...

Why major IT changes can wait

Attempting major IT changes late in the day — or week — can be a recipe for disaster.


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd