Sophos

SophosLabs published details of a new sophisticated new ransomware attack that is said to be ran inside of a Windows XP virtual machine.

The crooks behind the attack bought along a 280 MB Windows XP virtual machine to run it in (and a copy of the Oracle VirtualBox to run that) to ensure their 49 kB Ragnar Locker ransomware ran undisturbed.

The assault was carried out by the gang behind Ragnar Locker, who breaks into corporate networks, becomes administrators, performs validation, deletes backups and manually deploys ransomware, before requesting ransoms of several million dollars.

Like other criminals carrying out similar ransomware attacks, the Ragnar Locker gang attempts to escape detection as they operate inside the network of a victim with a strategy dubbed “living off the land.”

Living off the land means using legal information management tools that either already exist on the network on which the crooks have broken into, or that do not look suspicious or out of place (PowerShell is a particular favorite).

SophosLabs notes that the gang used a Windows GPO (Group Policy Object) function in the attack to execute the Microsoft Installer, which downloaded an MSI containing many files, including a copy of VirtualBox and a virtual Windows XP computer with the Ragnar Locker executable within.

VirtualBox is hypervisor software capable of running and administering one or more virtual guest computers inside a host. Guests are usually locked off from the server, and processes that operate inside the guest can not communicate with the operating system of the host. This prevents aggressive systems, such as malware, from targeting or taking over the host in what’s known as a virtual machine escape.

However, the protections that separate the guests from their host assume a hostile guest inside a friendly host, and that was not the case here, because both guest and host were accessed by the attackers.

In reality, they tried to establish the reverse of the usual situation from the viewpoint of the attackers-a friendly (to them) guest atmosphere shielded from a hostile host.

The victim’s network is a hostile environment for the attackers. Living off the land is designed to allow them to function as stealthily as possible, without triggering any alarms in the safety software of the network. They’ve breached cover when they start running malware and are at a much greater risk of detection.

Running their malware within a virtual machine let them hide it from the host’s prying eyes of security software. And if the attackers were in charge of the host they could easily break the wall between the host and the guest.

They accomplished this by installing VirtualBox add-ons that allow the guest to share files on the host, and then making every local disk, removable storage and mapped network drive on the host available to the guest virtual machine. The ransomware could encrypt the files on them from within the virtual machine’s protective cocoon, with those drives mounted inside the guest.

For the technical details of this attack, read Mark Loman’s in-depth article on Ragnar Locker over at Sophos sister site.