Ragner Locker Ransomware using Virtual Machines to evade detection

Hackers are using an innovative new method to deploy Ransomware to their victims and avoid detection. By utilising the virtual machine capabilities built into modern desktop & server operating systems, they are able to access files on the host machine to encrypt them. Read more below.



What is Ransomware?

So by now you should have all heard of Ransomware, but to recap, this is a particular type of Malware (Malicious Software) which hackers use to extract money from their victims. This is typically done by encrypting all of the businesses files making them unusable, then asking the business for a ransom payment if they want to gain access to their files again.

Ransomware techniques actually date back as far as 1989 but there was a rise of modern attacks back in 2013 with a strain called Cryptolocker. This set about a new era of Cyber Criminals extracting money, usually through cryptocurrency payments such as Bitcoin.

Once infected, a computer or server on the business network would typically go through every file it can see on mapped network drives and even cloud storage, encrypt the file with a password only the attacker knows and then reveal the damage done at the end of the process to advise how you should make payment. A screen such as this would confirm that you’ve been attacked:

How damaging is Ransomware?

Heard of Travelex? Well they’re probably a good example as to how costly and damaging Ransomware can be to a business. In 2019 when they suffered a security breach and a Ransomware attack it cost their parent group Finablr in excess of £25m and has put the business on the brink of collapse.

Take a look at this article for more details.

What's new about this latest Ransomware threat?

Well since 2013, anti-malware and security vendors have been in a constant battle to try and stop Ransomware from infecting computers. Ransomware is one of the most devastating pieces of malware due to the incredible amount of damage and disruption it causes to businesses. Although the combined effort to try and detect and block these threats have gained some weight, the attackers are always one step ahead.

Lots of modern anti-malware software use something called behavioural analysis to try and detect these advanced threats. Instead of just looking at the file which is being run and determining whether the file looks bad, it also looks at what the computer is doing as a result of running the program or script. For example, if after running a file on your computer it suddenly starts scanning all files on your computer and network, making lots of very fast changes, this behaviour is suspicious. That’s what these modern security systems do, they look at the behaviour and block that rather than just looking at the file.

Because this has been more effective at blocking some of the hackers attempts to impart damage and subsequently earn their ransom fee, the hackers are using a new method.

Instead of trying to install the malicious software onto the victims computer or server, they are instead creating a virtual Windows XP machine on the system which has no security or protection on. From here the hacker can then scan its host system for files as well as the rest of the network, potentially bypassing any of the security systems working hard to keep you safe.

This is quite an advanced attack technique which has lots of potential pitfalls for the hacker. It requires that the system is capable of running a piece of software called VirtualBox and it has enough privileges to execute everything needed to perform the attack.

If you are interested in the full technical details of how this attack works, Sophos have done a write up of it here.

What can my business do to protect itself from Ransomware?

With anything in Cyber Security, you should use a layered approach to defending the business from threats. In the same way you could protect a physical building with layers such as:

  • Gates
  • Locks
  • CCTV
  • 24/7 monitoring
  • Security Alarm
  • Security Guard

With IT Security you should be utilising some or all of the following layers:

  • Anti-Malware Software on all computers & servers
  • Advanced mail filtering to detect and remove threats
  • Advanced Firewalls with Intrusion Detection & Prevention systems at all network boundaries
  • Update and patch management ensuring all hardware and software is fully up to date with the latest security releases
  • Cyber Security Awareness training and Phishing Testing for all employees as standard
  • A good backup and disaster recovery plan which is frequently tested
  • Limit user permissions and privileges to the minimum required for them to do their job
  • Two-Factor Authentication on any user accounts which are accessible from the internet
  • Regular security testing to detect vulnerabilities
  • Only use software which is current and fully supported by the vendor
  • Restrict or disable the use of USB Hard Drives or Pen Drives used on company equipment

This list is not exhaustive but gives an idea of the common things you should be doing in your business. If you would like to review the security techniques being used within your organisation, you can speak to one of our Certified Ethical Hackers who understand these issues.


Get In Touch.

If you have any questions, feel free to contact us by calling 01158 244 824 or email us using the button below.