Ransomware evolves to hide in virtual machines

By Dylan Bushell-Embling
Wednesday, 27 May, 2020

Ransomware evolves to hide in virtual machines

Sophos researchers have uncovered an advanced new ransomware attack campaign that uses unique methods for staying below the radar of cybersecurity teams.

In a blog post, the security company has detailed a recently detected attack involving the Ragnar Locker ransomware.

During the attack, the ransomware was deployed as a full virtual machine on each targeted device to evade detection.

The ransomware uses an Oracle VirtualBox Windows XP virtual machine and the payload has a 122 MB installer with a 282 MB virtual image within, all designed to conceal a 49 KB ransomware executable.

Because this executable runs inside the virtual guest machine, its processes and activities can run unhindered by security software on the physical host machine.

But by mounting drives on the host machine within the virtual machine, the ransomware is capable of attacking the data on these drives unimpeded.

Sophos’s Director of Engineering for Threat Mitigation, Mark Loman, said this marks the first time Sophos has seen this kind of tactic used for a ransomware attack.

“In the last few months, we’ve seen ransomware evolve in several ways. But the Ragnar Locker adversaries are taking ransomware to a new level and thinking outside of the box,” he said.

“They are deploying a well-known trusted hypervisor to hundreds of endpoints simultaneously, together with a pre-installed and pre-configured virtual disk image guaranteed to run their ransomware.”

Loman said the virtual machine used in the attack is tailored per endpoint. “[This allows it to] encrypt the local disks and mapped network drives on the physical machine, from within the virtual plane and out of the detection realm of most endpoint protection products,” he said.

Image credit: ©stock.adobe.com/au/monsitj

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.

Related Articles

Old technology versus modern security

The IT industry should be more vocal about the dangers of using old software and hardware in an...

Best of 2020: 3 in 4 companies lack an adequate cyber response plan

Research from IBM suggests that 74% of businesses globally still have only ad hoc or...

IT in the year of COVID-19

COVID-19 has accelerated the adoption of many technologies — some positive, some negative...

  • All content Copyright © 2021 Westwick-Farrow Pty Ltd