Ragnar Locker Ransomware

Threat actors have developed a new type of attack method by hiding Ragnar Locker ransomware inside a virtual machine to avoid detection

Ragner Locker

Ragnar Locker ransomware attack that “takes defense evasion to a new level.” According to the post, this variant was deployed inside a Windows XP virtual machine in order to hide the malicious code from anti malware detection. The  Virtual Machine includes an old version of the Sun xVM Virtual Box, which is a free, open source hypervisor that was acquired by Oracle when it acquired Sun Microsystems in 2010.

“In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server,”

The MSI package contained Sun xVM VirtualBox version 3.0.4, which was released August of 2009, and “an image of a stripped-down version of the Windows XP SP3 operating system, called MicroXP v0.82.” In that image is a 49 KB Ragnar Locker executable file.

“Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they’re out of reach for security software on the physical host machine,”

This was the first time seen virtual machines used for ransomware attacks.

It’s unclear how many organizations were affected by this recent attack and how widespread it was. In the past, the Ragnar Locker ransomware group has targeted managed service providers and used their remote access to clients to infect more organizations.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s