Ragnar Locker ransomware attack hides inside virtual machine

Threat actors designed a new style of ransomware assault that takes advantage of virtual machines, Sophos uncovered Thursday in a blog site publish.

Sophos researchers lately detected a Ragnar Locker ransomware assault that “requires defense evasion to a new amount.” In accordance to the publish, the ransomware variant was deployed within a Windows XP virtual machine in get to conceal the malicious code from antimalware detection. The virtual machine consists of an outdated version of the Sunshine xVM VirtualBox, which is a free, open up supply hypervisor that was obtained by Oracle when it obtained Sunshine Microsystems in 2010.

“In the detected assault, the Ragnar Locker actors made use of a GPO activity to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently set up a 122 MB crafted, unsigned MSI offer from a remote website server,” Mark Loman, Sophos’ director of engineering for danger mitigation, wrote in the publish.

The MSI offer contained Sunshine xVM VirtualBox version 3..four, which was released August of 2009, and “an image of a stripped-down version of the Windows XP SP3 functioning program, called MicroXP v0.eighty two.” In that image is a 49 KB Ragnar Locker executable file.

“Since the vrun.exe ransomware application runs within the virtual guest machine, its procedure and behaviors can operate unhindered, simply because they are out of access for protection software program on the bodily host machine,” Loman wrote.

This was the first time Sophos has found virtual machines made use of for ransomware assaults, Loman mentioned.

It truly is unclear how several companies ended up afflicted by this latest assault and how popular it was. Sophos was unavailable for comment at push time. In the earlier, the Ragnar Locker ransomware group has specific managed service providers and made use of their remote entry to shoppers to infect a lot more companies.

In other Sophos news, the company printed an update Thursday pertaining to the assaults on Sophos XG Firewalls. Threat actors made use of a custom made Trojan Sophos phone calls “Asnarök” to exploit a zero-day SQL vulnerability in the firewalls, which the vendor rapidly patched through a hotfix. Sophos researchers mentioned the Asnarök attackers tried out to bypass the hotfix and deploy ransomware in buyer environments. Even so, Sophos mentioned it took other methods to mitigate the danger over and above the hotfix, which prevented the modified assaults.