Security News > 2020 > May > Forget BYOD, this is BYOVM: Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems

With antivirus tools increasingly wise to common infection tricks, one group of extortionists has taken the unusual step of stashing their ransomware inside its own virtual machine.

According to Vikas Singh, Gabor Szappanos, and Mark Loman at Sophos, criminals have slotted the file-scrambling Ragnar Locker nasty into a virtual machine running a variant of Windows XP, called MicroXP. Then, once the crooks have infiltrated a victim's network and gained administrative access - typically via a weak RDP box or through a compromised managed services provider - they download the VM, along with Oracle's VirtualBox hypervisor to run it, on each machine they can get into.

Next, the host system is configured so that the ransomware in the virtual machine can access any connected storage drives, whether plugged in or mapped over the network.

It is assumed this is all to evade antivirus suites and other security mechanisms, by hiding the malicious code in a small single-vCPU 256MB RAM virtual machine, although Sophos said an infection was detected, so it's not completely foolproof.

He added: "Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they're out of reach for security software on the physical host machine. The data on disks and drives accessible on the physical machine are attacked by the 'legitimate' VboxHeadless.exe process, the VirtualBox virtualization software."

News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/05/22/byovm_ransomware_in_virtualbox/