Ragnar Locker ransomware deploys virtual machine to dodge security: Sophos
Sophos, a global leader in next-generation cybersecurity, has detected a new ransomware attack method which takes defense evasion to a new level—deploying as a full virtual machine on each targeted device to hide the ransomware from view.
In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine. This is the first time Sophos has seen this kind of TTP used for a ransomware attack, according to Mark Loman, director of engineering, Threat Mitigation at Sophos.
SophosLabs Uncut has posted, “Ragnar Locker ransomware deploys virtual machine to dodge security,” a blog article that details a new Ragnar Locker TTP discovery, including a recent shift to deploy a well-known trusted hypervisor to hundreds of endpoints at the same time. This shows on how the attackers have advanced their methods and attempts to evade detection, the research further said.
“In the last few months, we’ve seen ransomware evolve in several ways. But, the Ragnar Locker adversaries are taking ransomware to a new level and thinking outside of the box. They are deploying a well-known trusted hypervisor to hundreds of endpoints simultaneously, together with a pre-installed and pre-configured virtual disk image guaranteed to run their ransomware,” said Mark Loman, Director of Engineering – Threat Mitigation at Sophos.
“Like a ghost able to interact with the material world, their virtual machine is tailored per endpoint, so it can encrypt the local disks and mapped network drives on the physical machine, from within the virtual plane and out of the detection realm of most endpoint protection products. The overhead involved to covertly run their 50 kilobyte ransomware seems like a bold, noisy move, but could pay-off in some networks that are not properly protected against ransomware. This is the first time we have seen virtual machines used for ransomware,” he said further.