Ragnar Locker is deploying Windows XP virtual machines to encrypt a victim's files while evading detection from security software installed on the host. This ransomware, which first appeared at the end of December 2019, targets corporate networks in company-wide attacks. It is well known for its attack on energy giant Energias de Portugal (EDP), where the attackers demanded a $10.9 million ransom after claiming to have stolen 10 TB of unencrypted files.

Ragnar Locker holds a history of utilizing novel methods to evade detection when deploying their ransomware on a network.

The ransomware goes one step ahead by also terminating managed service providers' (MSP) utilities to prevent them from detecting and stopping an attack, a tactic that complements the common practice of terminating security programs before encryption.

Using Virtual Machines to Evade Detection

In a recent report by Sophos, the operators of Ragnar Locker are utilizing another novel method to avoid being detected when encrypting files. They are deploying VirtualBox Windows XP virtual machines to execute the ransomware and encrypt files, thereby avoiding detection by security software running on the host.

This attack is initialized by first creating a tool folder that includes VirtualBox, a mini Windows XP virtual disk called micro.vdi, and various executables and scripts in order to prep the system.

VirtualBox has a feature that allows the host operating system to share folders and drives as a network share inside a virtual machine. This allows the virtual machine to mount the shared path as a network drive from the \\VBOXSVR virtual computer and gain full access to it.

Using an install.bat batch file, the ransomware operators' script is designed to scan for local drives and mapped network drives on the host and build a configuration file that automatically shares them with the virtual machine.

At the end, the script will have created an sf.txt file that contains VirtualBox configuration settings to automatically share all of the drives on the computer with the virtual machine.

The attackers then launch the Windows XP virtual machine with the created configuration file, using the SharedFolder directives created by their batch file. After this, all of these shared drives become accessible from within the virtual machine, and the Ragnar Locker ransomware executable will automatically be present in the root of the C:\ drive.

Also included is a vrun.bat file located in the Startup folder, so that it launches immediately as the virtual machine starts. The vrun.bat file mounts each shared drive, encrypts it, and then proceeds to the next drive shared with the virtual machine.

Since the security software running on the victim's host is not designed to inspect the ransomware executable or its activity on the virtual machine, it will run continuously without detecting that the victim's files are being encrypted.

It should be noted that if the victim was running Windows 10's Controlled Folder Access anti-ransomware feature, it's possible they would have been protected from an attack like this, as the operating system would have detected unauthorized writes to the protected folders.

After encryption, the victim will find a custom ransom note on their computer explaining that their company has been breached and their files encrypted. The use of a virtual machine for encrypting a device's files without being detected is an innovative approach.

VirtualBox and a Windows XP virtual machine are usually not considered malicious. Therefore, most security software will not be concerned that it is readily writing to all the data on the computer. This attack illustrates how security software with behavioral monitoring is becoming more important in deterring the tide of ransomware infections. This attack would likely only be detected by noticing unusual mass file writes.