Security News > 2020 > May > Ragnar Locker Ransomware Uses Virtual Machines for Evasion
The Ragnar Locker ransomware has been deploying a full virtual machine to ensure that it can evade detection, Sophos reveals.
As part of a recently observed attack, the ransomware was executed inside an Oracle VirtualBox Windows XP virtual machine.
The package contained an old Oracle VirtualBox hypervisor, and a virtual disk image file - an image of a stripped-down version of Windows XP SP3 - that included a 49 KB Ragnar Locker ransomware executable.
Xml on the host machine, so that the ransomware can access the previously enumerated local disks and mapped network and removable drives, directly from the guest VM. Running inside the virtual guest machine, the ransomware's process and behavior are out of reach for security software on the host machine.
"The Ragnar Locker adversaries are taking ransomware to a new level and thinking outside of the box. They are deploying a well-known trusted hypervisor to hundreds of endpoints simultaneously, together with a pre-installed and pre-configured virtual disk image guaranteed to run their ransomware. Like a ghost able to interact with the material world, their virtual machine is tailored per endpoint, so it can encrypt the local disks and mapped network drives on the physical machine, from within the virtual plane and out of the detection realm of most endpoint protection products," Mark Loman, director of engineering at Sophos, said in an emailed comment.