Ransomware evolves to hide in virtual machines

Sophos researchers have uncovered an advanced new ransomware attack campaign that uses unique methods for staying below the radar of cybersecurity teams.

In a blog post, the security company has detailed a recently detected attack involving the Ragnar Locker ransomware.

During the attack, the ransomware was deployed as a full virtual machine on each targeted device to evade detection.

The ransomware uses an Oracle VirtualBox Windows XP virtual machine and the payload has a 122 MB installer with a 282 MB virtual image within, all designed to conceal a 49 KB ransomware executable.

Because this executable runs inside the virtual guest machine, its processes and activities can run unhindered by security software on the physical host machine.

But by mounting drives on the host machine within the virtual machine, the ransomware is capable of attacking the data on these drives unimpeded.

Sophos’s Director of Engineering for Threat Mitigation, Mark Loman, said this marks the first time Sophos has seen this kind of tactic used for a ransomware attack.

“In the last few months, we’ve seen ransomware evolve in several ways. But the Ragnar Locker adversaries are taking ransomware to a new level and thinking outside of the box,” he said.

“They are deploying a well-known trusted hypervisor to hundreds of endpoints simultaneously, together with a pre-installed and pre-configured virtual disk image guaranteed to run their ransomware.”

Loman said the virtual machine used in the attack is tailored per endpoint. “[This allows it to] encrypt the local disks and mapped network drives on the physical machine, from within the virtual plane and out of the detection realm of most endpoint protection products,” he said.

Image credit: ©stock.adobe.com/au/monsitj