Ragnar Locker ransomware deploys virtual machine to dodge security

[Yaunfitda]

Ragnar Locker ransomware deploys virtual machine to dodge security



There is a new ransomware using Oracle's VirtualBox (old version) to conceal their presence on infected machines inside a Windows XP Virtual Machine. Sounds complicated right? That's why this malware are targeting specifics like corporation and government, but I'm sure the next iteration will go full blast and will try to infect as many machines they can find.

The adversaries behind Ragnar Locker have been known to steal data from targeted networks prior to launching ransomware, to encourage victims to pay. In April, the actors behind Ragnar Locker attacked the network of Energias de Portugal (EDP) and claimed to have stolen 10 terabytes of sensitive company data, demanding a payment of 1,580 Bitcoin (approximately $11 million US) and threatening to release the data if the ransom was not paid.

So instead of running the malware to the machine itself, it will first downloads and installs Oracle VirtualBox. Then set it up to work with files stored outside, copied to the folder C:\Program Files (x86)\VirtualAppliances.. Next is to boot up the VM, then run it, script executes a command to delete the targeted PC’s volume shadow copies, so victims cannot restore older unencrypted versions of their files. And because it is running on VM, anti-virus can't detect it.

The following steps can be identified in the root cause analysis (RCA) logs:

Microsoft Installer (msiexec.exe) executes
MSI package is downloaded
bat is executed: cmd.exe /c “C:\Program Files (x86)\VirtualAppliances\install.bat”
Attempts to terminate Anti-Virus process: taskkill /IM SavService.exe /F
Attempts to stop Anti-Virus service and other processes: sc stop mysql
Mounts accessible networks share to available drive letters: mountvol E: \\?\Volume{174f8ec6-d584-11e9-8afa-806e6f6e6963}\
Starts VirtualBox in headless mode: C:\Program Files (x86)\VirtualAppliances\app64\VBoxHeadless.exe” –startvm micro -v off
Deletes shadow copies: vssadmin delete shadows /all /quiet

Source: https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

[Yaunfitda]

That's one annoying ransomware, but unfortunately the article didn't mention how to prevent it or whether Windows update/anti-virus already can detect it.

I think this ransomware is fairly new and evolving and that is has the capability to disarm those AV.
They even admit that it is the first time that they have seen this kind of attack vector. So maybe AV companies are looking for solution right now.

One fastest solution is to have a decryptor, but not sure how long will it take to make one for this specific ransomware.