Forget BYOD, this is BYOVM: Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems

With antivirus tools increasingly wise to common infection tricks, one group of extortionists has taken the unusual step of stashing their ransomware inside its own virtual machine.

According to Vikas Singh, Gabor Szappanos, and Mark Loman at Sophos, criminals have slotted the file-scrambling Ragnar Locker nasty into a virtual machine running a variant of Windows XP, called MicroXP. Then, once the crooks have infiltrated a victim's network and gained administrative access – typically via a weak RDP box or through a compromised managed services provider – they download the VM, along with Oracle's VirtualBox hypervisor to run it, on each machine they can get into.

During the installation, backups, in the form of shadow volumes, are deleted so that they cannot be used to restore documents encrypted by the ransomware. Next, the host system is configured so that the ransomware in the virtual machine can access any connected storage drives, whether plugged in or mapped over the network. Then, any unwanted programs and services, such as remote management tools and backup utilities seemingly chosen on a per-victim basis, are terminated, and the virtual machine is booted up.

The ransomware then does its thing, encrypting files on the host computer, and leaves a ransom note demanding money to restore the enciphered data. It is assumed this is all to evade antivirus suites and other security mechanisms, by hiding the malicious code in a small single-vCPU 256MB RAM virtual machine, although Sophos said an infection was detected, so it's not completely foolproof.

"The attack payload was a 122MB installer with a 282MB virtual image inside," noted Sophos's Loman, "all to conceal a 49KB ransomware executable."

He added: "Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they’re out of reach for security software on the physical host machine. The data on disks and drives accessible on the physical machine are attacked by the 'legitimate' VboxHeadless.exe process, the VirtualBox virtualization software."

We're told the miscreants behind this malware are known to steal copies of organizations' data as well as encrypt it, which is used to further pressure victims to pay up: if they don't, sensitive internal information would be leaked or sold on to other hackers.

"In April, the actors behind Ragnar Locker attacked the network of Energias de Portugal (EDP) and claimed to have stolen 10 terabytes of sensitive company data, demanding a payment of 1,580 Bitcoin (approximately $11 million) and threatening to release the data if the ransom was not paid," noted Loman.

"In past attacks, the Ragnar Locker group has used exploits of managed service providers or attacks on Windows Remote Desktop Protocol (RDP) connections to gain a foothold on targeted networks. After gaining administrator-level access to the domain of a target and exfiltration of data, they have used native Windows administrative tools such as Powershell and Windows Group Policy Objects (GPOs) to move laterally across the network to Windows clients and servers."

And this is why securing RDP, and picking a good cloud provider, matters, we guess. ®