The operators of the RagnarLocker ransomware are installing the VirtualBox app and running virtual machines on computers they infect so as to run their ransomware during a “safe” environment, outside the reach of local antivirus software.
This latest trick has been spotted and detailed today by UK cyber-security firm Sophos and shows the creativity and great lengths some ransomware gangs will attend to avoid detection while attacking a victim.
Avoiding detection is crucial because RagnarLocker isn’t your typical ransomware gang. they seem to be a group that carefully selects targets, avoiding home consumers, and goes after corporate networks and government organizations only.
Sophos says the group has targeted victims within the past by abusing internet-exposed RDP endpoints and has compromised MSP (managed service provider) tools to breach companies and gain access to their internal networks.
On these networks, the RagnarLocker group deploys a version of their ransomware — customized per each victim — then demands an astronomical decryption fee within the tune of tens and many thousands folks dollars.
Because each of those carefully planned intrusions represents an opportunity to earn large amounts of cash, the RagnarLocker group has put a primer on stealth and has recently come up with a completely unique trick to avoid detection by antivirus software.
THE VIRTUAL MACHINE TRICK
The “trick” is really pretty simple and clever once you consider it.
Instead of running the ransomware directly on the pc they need to encrypt, the RagnarLocker gang downloads and installs Oracle VirtualBox, a kind of software that allows you to run virtual machines.
The group then configures the virtual machine to offer it full access to all or any local and shared drives, allowing the virtual machine to interact with files stored outside its own storage.
The next step is else up the virtual machine, running a stripped-down version of the Windows XP SP3 OS, called MicroXP v0.82.
The final phase is to load the ransomware inside the virtual machine (VM) and run it. Because the ransomware runs inside the VM, the antivirus software won’t be ready to detect the ransomware’s malicious process.
From the antivirus software’s point of view, files on the local system and shared drives will suddenly get replaced with their encrypted versions, and every one the file modifications appear to return from a legitimate process — namely the VirtualBox app.
An overview of the whole RagnarLocker ransomware, including its VM trick, is out there in Sophos’ recent report.