Ragnar Locker ransomware uses virtual machines to hide their actions

Sophos specialists found that Ragnar Locker malware operators use Oracle VirtualBox and virtual machines running Windows XP to hide their presence in an infected system and launch the ransomware in a “safe” environment, inaccessible to local antivirus software.

Ragnar Locker is not an ordinary encryptor. Therefore, its operators carefully select targets for attacks and are not interested in ordinary home users. Typically, a group focuses exclusively on corporate networks and government organizations. According to Sophos, in the past this hack group exploited RDP endpoints available from the Internet, and compromised Managed services providers (MSPs) to gain access to company intranets.

“In compromised networks, the group deploys the Ragnar Locker, carefully configuring the encryptor for a specific victim. Then, hackers demand a huge ransom for decrypting data accounting several tens to hundreds of thousands of US dollars)“, – say Sophos researchers.

For example, in April of this year, RagnarLocker attacked the network of energy giant Energias de Portugal (EDP). Then the hackers claimed that they had stolen 10 terabytes of confidential data and demanded a ransom of 1,580 bitcoins (approximately 11 million US dollars), threatening to release the data if, the ransom was not paid.

Because of the used tactics, stealth is crucial for Ragnar Locker operators. Therefore, the group recently developed a new trick to avoid detection by antivirus software.

Instead of launching the malware directly on the computer that has to be encrypted, hackers download and install Oracle VirtualBox. Then, the attackers configure the virtual machine in such a way as to give it full access to all local and shared disks, as well as allowing it to interact with files located outside its own storage.

As a result, a virtual machine with a cut down version of Windows XP SP3 called MicroXP v0.82 is loaded on the infected machine. Then, inside the VM, Ragnar Locker loads and starts independently. Researchers note that in the end, the attack payload is a 122 MB installer and a 282 MB virtual image. All this is necessary to conceal the malware executable file of 49 Kb.

Since the ransomware and its vrun.exe process work inside a virtual machine, antivirus software is unable to detect it. From the point of view of the antivirus, files on the local system and on shared disks are suddenly replaced by encrypted versions, but all modifications come from the legitimate VboxHeadless.exe process, so, the VirtualBox application is responsible for all this.

Sophos experts note that for the first time they see an encryptor that uses virtual machines.

“In the past few months, we have seen the development of ransomware in several areas. But Ragnar Locker’s operators take ransomware to a new level and think outside the box”, — write the experts.

Recall that large industrial companies are at risk of ransomware attacks: for example, last year, Swiss company Aebi Schmidt stopped production because of ransomware virus attack.