“In compromised networks, the group deploys the Ragnar Locker, carefully configuring the encryptor for a specific victim. Then, hackers demand a huge ransom for decrypting data accounting several tens to hundreds of thousands of US dollars)“, – say Sophos researchers.
For example, in April of this year, RagnarLocker attacked the network of energy giant Energias de Portugal (EDP). Then the hackers claimed that they had stolen 10 terabytes of confidential data and demanded a ransom of 1,580 bitcoins (approximately 11 million US dollars), threatening to release the data if, the ransom was not paid.
Because of the used tactics, stealth is crucial for Ragnar Locker operators. Therefore, the group recently developed a new trick to avoid detection by antivirus software.
Instead of launching the malware directly on the computer that has to be encrypted, hackers download and install Oracle VirtualBox. Then, the attackers configure the virtual machine in such a way as to give it full access to all local and shared disks, as well as allowing it to interact with files located outside its own storage.
As a result, a virtual machine with a cut down version of Windows XP SP3 called MicroXP v0.82 is loaded on the infected machine. Then, inside the VM, Ragnar Locker loads and starts independently. Researchers note that in the end, the attack payload is a 122 MB installer and a 282 MB virtual image. All this is necessary to conceal the malware executable file of 49 Kb.
Since the ransomware and its vrun.exe process work inside a virtual machine, antivirus software is unable to detect it. From the point of view of the antivirus, files on the local system and on shared disks are suddenly replaced by encrypted versions, but all modifications come from the legitimate VboxHeadless.exe process, so, the VirtualBox application is responsible for all this.
Sophos experts note that for the first time they see an encryptor that uses virtual machines.
“In the past few months, we have seen the development of ransomware in several areas. But Ragnar Locker’s operators take ransomware to a new level and think outside the box”, — write the experts.
Recall that large industrial companies are at risk of ransomware attacks: for example, last year, Swiss company Aebi Schmidt stopped production because of ransomware virus attack.
News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…
Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…
News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…
Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…
News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…
Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…