alswart - stock.adobe.com
Ragnar Locker ransomware attack hides inside virtual machine
Threat actors have developed a new type of attack method by hiding Ragnar Locker ransomware inside a virtual machine to avoid detection.
Threat actors developed a new type of ransomware attack that uses virtual machines, Sophos revealed Thursday in a blog post.
Sophos researchers recently detected a Ragnar Locker ransomware attack that "takes defense evasion to a new level." According to the post, the ransomware variant was deployed inside a Windows XP virtual machine in order to hide the malicious code from antimalware detection. The virtual machine includes an old version of the Sun xVM VirtualBox, which is a free, open source hypervisor that was acquired by Oracle when it acquired Sun Microsystems in 2010.
"In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server," Mark Loman, Sophos' director of engineering for threat mitigation, wrote in the post.
The MSI package contained Sun xVM VirtualBox version 3.0.4, which was released August of 2009, and "an image of a stripped-down version of the Windows XP SP3 operating system, called MicroXP v0.82." In that image is a 49 KB Ragnar Locker executable file.
"Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they're out of reach for security software on the physical host machine," Loman wrote.
This was the first time Sophos has seen virtual machines used for ransomware attacks, Loman said.
It's unclear how many organizations were affected by this recent attack and how widespread it was. Sophos was unavailable for comment at press time. In the past, the Ragnar Locker ransomware group has targeted managed service providers and used their remote access to clients to infect more organizations.
In other Sophos news, the company published an update Thursday regarding the attacks on Sophos XG Firewalls. Threat actors used a customized Trojan Sophos calls "Asnarök" to exploit a zero-day SQL vulnerability in the firewalls, which the vendor quickly patched through a hotfix. Sophos researchers said the Asnarök attackers tried to bypass the hotfix and deploy ransomware in customer environments. However, Sophos said it took other steps to mitigate the threat beyond the hotfix, which prevented the modified attacks.