According to a study carried out by Cybersecurity firm Sophos, those distributing RagnarLocker ransomware are seen installing virtual machines inside infected systems to avoid being detected by local antivirus software.
Technically speaking, it’s being done through Oracle Virtual Box App running inside a virtual machine loaded with Windows XP Operating System.
In general, RagnarLocker is seen victimizing large scale organizations and corporate networks as it sees them as sure-shot targets to mint hefty sums of money in the form of ransom. Often the hacker’s group is seen exploiting web exposed RDP endpoints and has successfully managed to compromise Managed Service Provider (MSPs) which in-turn gives them access to inside networks of companies to deploy a customized version of ransomware.
As most of the corporate networks have anti-malware solutions installed in them, the threat group has now come up with a novel idea of remaining undetected by antivirus software during and after installation of the file-encrypting malware. The first target a PC with a 122MB Oracle VirtualBox software that offers installation proceedings of virtual machines and then customizes a VM to have access to the local and shared disk drives allowing the VM to access the files stored on the PC.
After the process a boot-up of a virtual machine is performed using a Windows XP SP3 Operating System named MicroXP v0.82. And finally a 49KB executable ransomware payload is loaded to operate inside the 282MB Virtual Image which blocks it from being detected by the antivirus software.
As all the file modifications witnessed thereafter are carried out by a legitimate process taken up by the VirtualBox App, the anti-malware solution doesn’t treat these changes as a cyber threat and thus allowing those spreading RagnarLocker to reach their objectives.