A new ransomware attack method takes defence evasion to a new level, deploying as a full virtual machine on each targeted device to hide the ransomware from view. In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine.The attack payload was a 122 MB installer with a 282 MB virtual image inside, all to conceal a 49 kB ransomware executable.
The adversaries behind Ragnar Locker have been known to steal data from targeted networks prior to launching ransomware, to encourage victims to pay. In April, the actors behind Ragnar Locker attacked the network of Energias de Portugal and claimed to have stolen 10 terabytes of sensitive company data, demanding a payment of 1,580 Bitcoin and threatening to release the data if the ransom was not paid.
In past attacks, the Ragnar Locker group has used exploits of managed service providers or attacks on Windows Remote Desktop Protocol connections to gain a foothold on targeted networks. After gaining administrator-level access to the domain of a target and exfiltration of data, they have used native Windows administrative tools such as Powershell and Windows Group Policy Objects to move laterally across the network to Windows clients and servers.
In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer, passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server. The primary contents of the MSI package were:
- A working installation of an old Oracle VirtualBox hypervisor, Sun xVM VirtualBox version 3.0.4 from August 5, 2009.
- A virtual disk image filenamed micro.vdi, an image of a stripped-down version of the Windows XP SP3 operating system, called MicroXP v0.82. The image includes the 49 kB Ragnar Locker ransomware executable.