RagnarLocker Ransomware Hides in Virtual Machine to Escape Detection

Security researchers are warning of a new ransomware attack technique which deploys the malware as a virtual machine (VM) in order to evade traditional defenses.

Sophos revealed that it recently detected a RagnarLocker attack in which the ransomware was hidden inside an Oracle VirtualBox Windows XP VM.

It said the attack payload was a 122MB installer, with a 282MB virtual image inside concealing a 49KB executable.

“In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server,” Sophos director of engineering, Mark Loman, explained.

The MSI package contained an Oracle VirtualBox hypervisor and a virtual disk image file (VDI) named micro.vdi, which was an image of a stripped-down version of the Windows XP SP3 operating system.

“Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they’re out of reach for security software on the physical host machine,” said Loman.

The attack appears to have been highly targeted, as the ransom note contained the victim’s name.

RagnarLocker has been in action recently, after it was deployed against Portuguese energy giant Energias de Portugal (EDP) group in an attack demanding a payment of €10m ($11m).

As Loman explained, the group behind the ransomware typically targets managed service providers (MSPs) and exploits holes in Windows Remote Desktop Protocol (RDP) to gain a foothold into organizations.

“After gaining administrator-level access to the domain of a target and exfiltration of data, they have used native Windows administrative tools such as Powershell and Windows Group Policy Objects (GPOs) to move laterally across the network to Windows clients and servers,” he said.

What’s Hot on Infosecurity Magazine?