New form of ransomware deploys virtual machines to avoid detection

RagnarLocker, a new form of ransomware, is using an innovative approach to prevent itself from being detected by antivirus programs.

The method involves installing Oracle VirtualBox and then running virtual machines on compromised computers so that the ransomware is run in a ‘safe’ environment.

Sophos, a UK cyber security company, was the first to spot it, detailing the ransomware’s creative approach to victimising the target.

Government organisations and corporate networks are its main focus, rather than home consumers.

According to Sophos, this particular variant of ransomware exploits internet-exposed RDP endpoints and obtains unauthorised access by using MSP tools.

Each instance of ransomware is highly customised and is deployed once the perpetrators get in.

Those who get infected are asked to pay a huge fee ranging from tens of thousands to hundreds of thousands of US dollars.

Because every successful infection represents an opportunity to earn a large sum of money, its developers have put a high emphasis on stealth.

Upon infection, the VirtualBox app is downloaded and installed on the victim’s computer.

The trick lies in configuring it in such a manner that it can fully interact with all local and shared drives, even those outside of the virtual environment.

The next step involves loading up a special version of Windows XP SP3 and running the ransomware inside of it.

Since the ransomware runs inside the virtual machine and not as a typical process, antivirus programs are unable to detect it.

If the ransomware is successful, files on the shared drive and the local system will get replaced with encrypted versions.

According to Mark Loman, threat mitigation and engineering director at Sophos, this is the first documented approach of hackers using virtualisation technology as part of an attack.

He described their approach as “thinking outside of the box”.