The Ragnar Locker ransomware has been deploying a full virtual machine to ensure that it can evade detection, Sophos reveals.
The cybercriminals behind Ragnar Locker use various exploits or target Remote Desktop Protocol (RDP) connections to compromise networks, and also steal data from targeted networks prior to deploying the ransomware, to entice victims to pay the ransom.
As part of a recently observed attack, the ransomware was executed inside an Oracle VirtualBox Windows XP virtual machine. For that, the attackers used a Windows Group Policy Object (GPO) task to execute msiexec.exe and fetch and silently install a 122 MB MSI package.
The package contained an old Oracle VirtualBox hypervisor (Sun xVM VirtualBox version 3.0.4 from August 5, 2009), and a virtual disk image file (VDI) – an image of a stripped-down version of Windows XP SP3 – that included a 49 KB Ragnar Locker ransomware executable.
The MSI also deploys an executable, a batch file, and a few support files. The batch script registers and runs VirtualBox application extensions VBoxC.dll and VBoxRT.dll, along with the VirtualBox driver VboxDrv.sys.
Next, the script stops the Windows Shell Hardware Detection service, to disable the AutoPlay notification functionality, and deletes the computer’s volume shadow copies, after which it enumerates all local disks, connected removable drives, and mapped network drives.
The batch file also goes through a list of 50 processes (mainly line-of-business applications, database, remote management and backup applications) and terminates them, to ensure that files associated with them are unlocked and available for encryption.
The list of targeted processes is stored in a text file and is accompanied by a list (also stored in a text file) of service names tailored to the victim organization’s network environment. Next, the script starts the virtual machine, with the ransomare running in it as vrun.exe.
The VM runs with 256 MB of RAM, one CPU, a single 299 MB HDD file micro.vdi, and an Intel PRO/1000 network adapter attached to NAT. The ransomware running inside it is “compiled exclusively per victim, as the ransom note it drops contains the victim’s name,” Sophos explains.
The script also mounts the shared drives configured in micro.xml on the host machine, so that the ransomware can access the previously enumerated local disks and mapped network and removable drives, directly from the guest VM.
Running inside the virtual guest machine, the ransomware’s process and behavior are out of reach for security software on the host machine. Basically, the data on disks and drives on the physical machine are attacked by VboxHeadless.exe, the VirtualBox virtualization software, Sophos notes.
“The Ragnar Locker adversaries are taking ransomware to a new level and thinking outside of the box. They are deploying a well-known trusted hypervisor to hundreds of endpoints simultaneously, together with a pre-installed and pre-configured virtual disk image guaranteed to run their ransomware. Like a ghost able to interact with the material world, their virtual machine is tailored per endpoint, so it can encrypt the local disks and mapped network drives on the physical machine, from within the virtual plane and out of the detection realm of most endpoint protection products,” Mark Loman, director of engineering at Sophos, said in an emailed comment.