Security News > 2021 > June > Virtual machines hide ransomware until the encryption process is done

The use of virtual machines to run the malicious payload is getting more popular with ransomware attackers, Symantec's Threat Hunter Team claims.

"During a recent investigation into an attempted ransomware attack, Symantec discovered that the attackers had installed a VirtualBox VM on some compromised computers. Unlike the previously documented RagnarLocker attacks, which involved Windows XP, the VM in this case appeared to be running Windows 7," they shared.

Dick O'Brien, Principal Editor, Symantec Threat Hunter Team, told Help Net Security that the VM was delivered via a malicious installer pre-staged during the reconnaissance and lateral movement phases of the attacks, but that they don't know how the initial intrusion was performed.

Though the researchers could not pinpoint whether the actual payload in the VM is the Mount Locker or the Conti ransomware - the former was found on the endpoint, but a username and password combination used in these attacks was previously associated with previous Conti activity - they believe it was located on the VM's disk and auto started once the operating system was fully booted.

"One possible explanation is that the attacker is an affiliate operator with access to both Conti and Mount Locker. They may have attempted to run a payload on a virtual machine and, when that didn't work, opted to run Mount Locker on the host computer instead," they explained.

Obstructing unauthorized VMs. Most attackers and ransomware operators love to exploit legitimate, dual-use tools to facilitate their operations while keeping them hidden as long as possible.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/Go9MeEAhTG4/