Bitcoin Forum
June 15, 2024, 06:42:40 AM *
News: Voting for pizza day contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Ragnar Locker ransomware deploys virtual machine to dodge security  (Read 117 times)
Yaunfitda (OP)
Hero Member
*****
Offline Offline

Activity: 2884
Merit: 596



View Profile
May 22, 2020, 03:32:00 AM
 #1

Ragnar Locker ransomware deploys virtual machine to dodge security



There is a new ransomware using Oracle's VirtualBox (old version) to conceal their presence on infected machines inside a Windows XP Virtual Machine. Sounds complicated right? That's why this malware are targeting specifics like corporation and government, but I'm sure the next iteration will go full blast and will try to infect as many machines they can find.

Quote
The adversaries behind Ragnar Locker have been known to steal data from targeted networks prior to launching ransomware, to encourage victims to pay. In April, the actors behind Ragnar Locker attacked the network of Energias de Portugal (EDP) and claimed to have stolen 10 terabytes of sensitive company data, demanding a payment of 1,580 Bitcoin (approximately $11 million US) and threatening to release the data if the ransom was not paid.

So instead of running the malware to the machine itself, it will first downloads and installs Oracle VirtualBox. Then set it up to work with files stored outside, copied to the folder C:\Program Files (x86)\VirtualAppliances.. Next is to boot up the VM, then run it, script executes a command to delete the targeted PC’s volume shadow copies, so victims cannot restore older unencrypted versions of their files. And because it is running on VM, anti-virus can't detect it.

Quote
The following steps can be identified in the root cause analysis (RCA) logs:

Microsoft Installer (msiexec.exe) executes
MSI package is downloaded
bat is executed: cmd.exe /c “C:\Program Files (x86)\VirtualAppliances\install.bat”
Attempts to terminate Anti-Virus process: taskkill /IM SavService.exe /F
Attempts to stop Anti-Virus service and other processes: sc stop mysql
Mounts accessible networks share to available drive letters: mountvol E: \\?\Volume{174f8ec6-d584-11e9-8afa-806e6f6e6963}\
Starts VirtualBox in headless mode: C:\Program Files (x86)\VirtualAppliances\app64\VBoxHeadless.exe” –startvm micro -v off
Deletes shadow copies: vssadmin delete shadows /all /quiet

Source: https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

███████████████████████████████
███████████████████████████████
███▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀███████████
█████████████▀▀        ▀▀██████
██████▀▀▀▀▀▀              ▀████
██████████▀     ▄▄██▄▄     ▀███
██████████      ██████      ███
██████████▄     ▀▀██▀▀     ▄███
██████▄▄▄▄▄▄              ▄████
█████████████▄▄        ▄▄██████
███▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄███████████
███████████████████████████████
███████████████████████████████
.
|
▄▄███████▄▄
▄████▀▀▀▀▀▀▀████▄
▄███▀▄▄███████▄▄▀███▄
▄██▀▄█▀▀▀█████▀▀▀█▄▀██▄
▄██▄██████▀████░███▄██▄
███░████████▀██░████░███
███░████░█▄████▀░████░███
███░████░███▄████████░███
▀██▄▀███░█████▄█████▀▄██▀
▀██▄▀█▄▄▄██████▄██▀▄██▀
▀███▄▀▀███████▀▀▄███▀
▀████▄▄▄▄▄▄▄████▀
▀▀███████▀▀
SSC NAPOLI
OFFICIAL EUROPEAN
BETTING PARTNER
|.ROLLBOTS.|
▄▄███████▄▄
▄███████████████▄
▄███████████████████▄
▄██▀▀▀▀▀▀▀▀▀▀▀▀▀▀█████▄
▄█████████▀████████▀████▄
██████▄▄▄█████▄▄█████████
█████████████████████████
██████▀▀▀█████▀▀█████████
▀█████████▄████████▄████▀
▀██▄▄▄▄▄▄▄▄▄▄▄▄▄▄█████▀
▀███████████████████▀
▀███████████████▀
▀▀███████▀▀
ROLLBIT COIN
TRADE RLB NOW!
|...PLAY NOW...
Yaunfitda (OP)
Hero Member
*****
Offline Offline

Activity: 2884
Merit: 596



View Profile
May 23, 2020, 03:53:51 AM
 #2

That's one annoying ransomware, but unfortunately the article didn't mention how to prevent it or whether Windows update/anti-virus already can detect it.

I think this ransomware is fairly new and evolving and that is has the capability to disarm those AV.
They even admit that it is the first time that they have seen this kind of attack vector. So maybe AV companies are looking for solution right now.

One fastest solution is to have a decryptor, but not sure how long will it take to make one for this specific ransomware.

███████████████████████████████
███████████████████████████████
███▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀███████████
█████████████▀▀        ▀▀██████
██████▀▀▀▀▀▀              ▀████
██████████▀     ▄▄██▄▄     ▀███
██████████      ██████      ███
██████████▄     ▀▀██▀▀     ▄███
██████▄▄▄▄▄▄              ▄████
█████████████▄▄        ▄▄██████
███▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄███████████
███████████████████████████████
███████████████████████████████
.
|
▄▄███████▄▄
▄████▀▀▀▀▀▀▀████▄
▄███▀▄▄███████▄▄▀███▄
▄██▀▄█▀▀▀█████▀▀▀█▄▀██▄
▄██▄██████▀████░███▄██▄
███░████████▀██░████░███
███░████░█▄████▀░████░███
███░████░███▄████████░███
▀██▄▀███░█████▄█████▀▄██▀
▀██▄▀█▄▄▄██████▄██▀▄██▀
▀███▄▀▀███████▀▀▄███▀
▀████▄▄▄▄▄▄▄████▀
▀▀███████▀▀
SSC NAPOLI
OFFICIAL EUROPEAN
BETTING PARTNER
|.ROLLBOTS.|
▄▄███████▄▄
▄███████████████▄
▄███████████████████▄
▄██▀▀▀▀▀▀▀▀▀▀▀▀▀▀█████▄
▄█████████▀████████▀████▄
██████▄▄▄█████▄▄█████████
█████████████████████████
██████▀▀▀█████▀▀█████████
▀█████████▄████████▄████▀
▀██▄▄▄▄▄▄▄▄▄▄▄▄▄▄█████▀
▀███████████████████▀
▀███████████████▀
▀▀███████▀▀
ROLLBIT COIN
TRADE RLB NOW!
|...PLAY NOW...
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!