Ragnar Locker Ransomware Deploys Virtual Machine to Evade Security Software

A new tactic is being used by the threat actors behind Ragnar Locker ransomware that allows them to evade security measures on the host machine and ensure their ransomware payload is executed.

Ragnar Locker ransomware was first detected in 2019 and has been used in several high profile attacks, including the attack on the Portuguese energy company, Energias de Portugal where they demanded payment of $10.9 million for the keys to decrypt files.

Researchers at Sophos identified an attack in which Ragnar Locker ransomware was executed within a virtual machine installed as part of the attack. When the ransomware is executed within the virtual machine, it is beyond the reach of security solutions installed on the host machine, thus ensuring the encryption process and other malicious actions are not detected.

In this attack, an Oracle VirtualBox Windows XP virtual machine was set up using a Windows Group Policy Object (GPO) task which runs a msiexec.exe file. That file downloads and silently installs a MSI package containing an Oracle VirtualBox hypervisor, a virtual disk image of mini Windows XP SP3 virtual disk, the ransomware binary, a batch script, and various other files. Sophos says the ransomware executable is compiled exclusively for each victim and the ransom note that is dropped is personalized with the victim’s name.

The batch script runs the VirtualBox application extensions VBoxC.dll and VBoxRT.dll and the driver, VboxDrv.sys. Then the Windows Shell Hardware Detection service is stopped, to ensure an autorun alert is not generated, and Windows shadow volume copies are then deleted. Disks are enumerated along with all mapped and connected removable drives and backup applications, remote management tools, and other applications are terminated to ensure the files used by those tools and applications are encrypted when the ransomware binary is executed.

The virtual machine is then started and the ransomware executable – vrun.exe – is launched. Files are attacked through VboxHeadless.exe of the virtualization software, which is not considered malicious by security software.  These tactics ensure that the ransomware is run and is not detected by most security solutions.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news