Security News
Bryson Bort, founder and CEO of cybersecurity company SCYTHE, fears "death by a thousand paper cuts" more than than a digital apocalypse. He also shares his views on how well cyber-deterrence works.
To ensure their 49 kB Ragnar Locker ransomware ran undisturbed, the crooks behind the attack bought along a 280 MB Windows XP virtual machine to run it in. VirtualBox is hypervisor software that can run and administer one or more virtual guest computers inside a host computer.
With antivirus tools increasingly wise to common infection tricks, one group of extortionists has taken the unusual step of stashing their ransomware inside its own virtual machine. According to Vikas Singh, Gabor Szappanos, and Mark Loman at Sophos, criminals have slotted the file-scrambling Ragnar Locker nasty into a virtual machine running a variant of Windows XP, called MicroXP. Then, once the crooks have infiltrated a victim's network and gained administrative access - typically via a weak RDP box or through a compromised managed services provider - they download the VM, along with Oracle's VirtualBox hypervisor to run it, on each machine they can get into.
With antivirus tools increasingly wise to common infection tricks, one group of extortionists has taken the unusual step of stashing their ransomware inside its own virtual machine. According to Vikas Singh, Gabor Szappanos, and Mark Loman at Sophos, criminals have slotted the file-scrambling Ragnar Locker nasty into a virtual machine running a variant of Windows XP, called MicroXP. Then, once the crooks have infiltrated a victim's network and gained administrative access - typically via a weak RDP box or through a compromised managed services provider - they download the VM, along with Oracle's VirtualBox hypervisor to run it, on each machine they can get into.
The Ragnar Locker ransomware has been deploying a full virtual machine to ensure that it can evade detection, Sophos reveals. As part of a recently observed attack, the ransomware was executed inside an Oracle VirtualBox Windows XP virtual machine.
Malicious actors targeting a zero-day vulnerability in Sophos XG Firewall appliances last month attempted to deploy ransomware after Sophos started taking measures to neutralize the attack. One of the files deployed by the attackers would act as a "Dead man switch," to launch a ransomware attack when a specific file would be deleted on unpatched firewalls during a reboot or power-cycle, the security company reveals.
The NetWalker ransomware - the scourge behind one of the recent Toll Group attacks - has transitioned to a ransomware-as-a-service model, and its operators are placing a heavy emphasis on targeting and attracting technically advanced affiliates, according to researchers. "NetWalker now claims a singular preference for network infiltration, which is novel to the Russian-speaking ransomware community," explained the researchers, who added that in the advertisements on underground forums for the RaaS offering, the NetWalker group explicitly says that it prefers affiliates "Who prioritize quality, not quantity" and stating that they have an interest "Only in experienced, Russian-speaking network intruders - not spammers - with a preference for immediate, consistent work."
We've been hearing about ransomware for years now. In the past few months, ransomware has gone nuclear.
We've been hearing about ransomware for years now. In the past few months, ransomware has gone nuclear.
A cybercriminal gang have been arrested for spreading the Locky ransomware among hospitals, among other crimes. These attacks were directed against several public institutions both in Bucharest and elsewhere, and more were planned.