Ragnar Locker ransomware uses a clever trick to dodge detection

Ransomware attacks have become fairly common in recent times. Now, researchers have discovered that hackers a new ransomware called Ragnar Locker to target victims. What makes this ransomware different from others is the fact that it uses virtual machines to dodge getting detected.

Cybersecurity firm SophosLabs has detected a new attack wherein the Ragnar Locker ransomware was deployed inside an Oracle VirtualBox XP virtual machine. The attack payload was a 122 MB installer with a 282 MB virtual image inside that was used to conceal a 49 kB ransomware executable file.

“...Like a ghost able to interact with the material world, their [hackers that deploy Ragnar Locker ransomware] virtual machine is tailored per endpoint, so it can encrypt the local disks and mapped network drives on the physical machine, from within the virtual plane and out of the detection realm of most endpoint protection products,” Mark Loman, director of engineering, Threat Mitigation at Sophos said in a statement.

Ragnar Locker works in a tricky way. SophosLabs says that “In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server.”

“In addition to the VirtualBox files, the MSI also deploys an executable (called va.exe), a batch file (named install.bat), and a few support files. After completing the installation, the MSI Installer executes va.exe, which in turn runs the install.bat batch script. The script's first task is to register and run the necessary VirtualBox application extensions VBoxC.dll and VBoxRT.dll, and the VirtualBox driver VboxDrv.sys,” the company added.

The script then goes on to disable the Windows AutoPlay notification functionality and delete the targeted PC's volume shadow copies, so victims cannot restore older unencrypted versions of their files. It then connects with all local disks, connected removable drives and mapped network drives on the physical machine so they can be configured to be accessed from within the virtual machine.

Once the environment is ready, the ransomware drops a note that contains the victim's name. “Hello XYZ! If you are reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED. Although your security measures already been BREACHED and your files were LOCKED, we was able to make a PENETRATION of your network AGAIN! by RAGNAR_LOCKER!,” the message reads.

“Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they're out of reach for security software on the physical host machine,” the company wrote.