Back to Blog

RagnarLocker Ransomware Hides in Virtual Machine to Escape Detection

May 26, 2020

By: mirabiliscorp

Security researchers are warning of a new ransomware attack technique which deploys the malware as a virtual machine (VM) in order to evade traditional defenses.

Sophos revealed that it recently detected a RagnarLocker attack in which the ransomware was hidden inside an Oracle VirtualBox Windows XP VM.

It said the attack payload was a 122MB installer, with a 282MB virtual image inside concealing a 49KB executable.

“In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server,” Sophos director of engineering, Mark Loman, explained.

The MSI package contained an Oracle VirtualBox hypervisor and a virtual disk image file (VDI) named micro.vdi, which was an image of a stripped-down version of the Windows XP SP3 operating system.

“Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they’re out of reach for security software on the physical host machine,” said Loman.

The attack appears to have been highly targeted, as the ransom note contained the victim’s name.

RagnarLocker has been in action recently, after it was deployed against Portuguese energy giant Energias de Portugal (EDP) group in an attack demanding a payment of €10m ($11m).

Source: infosecurity-magazine

Contact us

Safety is essential to your decision making. We are sure that our team can clarify any doubts. After all, we understand security.

contact@sikur.com

Follow us

Try SIKUR





Contact Us
First Name*
Last Name*
E-mail*
Mobile Number*
Company*
Country*
Tell us what do you need* ?
Products: Hold CTRL+Click to add more than 1.* ?
Comments
I agree to the Privacy Policy and Terms of Service.