Ragnar Locker is deploying Windows XP virtual machines to encrypt victim’s files while evading detecting from security software installed on the host. It is the latest ransomware launched at the end of December 2019 targeting corporate networks in company-wide attacks, also well known for its attack on energy giant Energias de Portugal (EDP), where the attackers asked for a $10.9 million ransom after claiming to have stolen 10 TB of unencrypted files.
Ragnar Locker holds a history of utilizing novel methods to evade detection when deploying their ransomware on a network.
The ransomware goes one step ahead by also terminating managed service providers (MSP) utilities to prevent them from detecting and stopping an attack whilst many ransomware infections terminate security programs before encrypting.
Using virtual machines to evade detection
In a latest report by Sophos, the operators of the Ragnar Locker are utilizing another novel method to avoid being detected when encrypting files. They are deploying VirtualBox Windows XP virtual machines to execute the ransomware and encrypt files to avoid being detected by security software running on the host.
This attack is initialized by first creating a tool folder that includes VirtualBox, a mini Windows XP virtual disk called micro.vdi, and various executables and scripts in order to prep the system.
VirtualBox runs on a feature that allows the host operating system to share folders and drives as a network share inside a virtual machine. This allows the virtual machine to mount the shared path as a network drive from the \\VBOXSVR virtual computer and gain full access to it.
Using an install.bat batch file, the ransomware operators is designed to scan for local drives and mapped network drives on the host and builds a configuration file that automatically shares them with the virtual machine.
At the end, the script will have created an sf.txt file that contains VirtualBox configuration settings to automatically share all of the drives on the computer with the virtual machine.
Then, the attackers launch the Windows XP virtual machine with the created configuration file using the SharedFolder directives created by their batch file. After which, all of these shared drives will become accessible from within the virtual machine, and the Ragnar Locker ransomware executable will automatically be present in the root of the C:\ drive.
Also included is a vrun.bat file that is located in the Startup folder so that launches immediately as the virtual machine starts. The vrun.bat file, mounts each shared drive, encrypt it, and then proceed to the next drive shared with the virtual machine.
As the security software running on the victim’s host is not designed to detect the ransomware executable or activity on the virtual machine, it will blissfully run continually without detecting that the victim’s files are now being encrypted.
It should be noted that if the victim was running Windows 10’s Controlled Folder Access anti-ransomware feature, there are possibilities that it may have been protected from an attack like this as the operating system would have detected writes to the protected folders.
After which, the victim will chance upon a custom ransom note on their computer explaining how their company has been breached and their files being encrypted. The use of a virtual machine to encrypting a device’s files without being detected is an innovative approach.
VirtualBox and a Windows XP virtual machine are usually not considered malicious. So, most security software will not be concerned that it is readily writing to all the data on the computer. This attack is an illustration on how security software with behavioral monitoring is growing to be more important in deterring the tide of ransomware infections. Keeping in mind, this attack would only be detected by detection of unusual mass file writes.