Ransomware group deploys virtual machines to hide from antivirus software

(Image credit: Future)

In order to avoid detection by antivirus software, the operators of the RagnarLocker ransomware have begun installing Oracle's VirtualBox and running virtual machines on the computers they infect before deploying their ransomware.

The UK-based cybersecurity firm Sophos first spotted this new technique and it shows just how far cybercriminals are willing to go to ensure that their ransomware attacks are not detected by a victim's antivirus or other security software.

According to Sophos, the group behind RagnarLocker has been known to steal data from targeted networks before launching a ransomware attack in order to encourage victims to pay. Last month, they attacked the network of Energias de Portugal (EDP), claimed to have stolen 10TB of sensitive company data and demanded a ransom of $11m while threatening to release the data if the ransom was not paid.

In past attacks, the RagnarLocker group has used exploits of managed service providers (MSPs) or attacks on Windows Remote Desktop Protocol (RDP) connections to establish a foothold on targeted networks. After gaining admin-level access, the group uses native Windows administrative tools such as Powershell and Windows Group Policy Objects (GPOs) to move laterally across a network to launch attacks on other Windows clients and servers.

Deploying virtual machines

In its latest attack, the RagnarLocker group opted not run its ransomware directly on computers they wanted to encrypt and instead chose to download and install Oracle VirtualBox to run virtual machines. These virtual machines are then configured to give the attackers full access to all local and shared drives which allows the virtual machine to access files stored outside of its own storage.

The virtual machines are then booted up running a stripped-down version of Windows XP SP3 called MicroXP v0.82. The attackers then run their ransomware inside of the virtual machine and this makes it impossible for antivirus software to detect.

Instead of seeing an unknown program making changes to files stored on a device and in shared drives, to the antivirus software all of these changes appear to have originated from the legitimate VirtualBox app so users are not notified.

Sophos says that this is the first time it has seen a ransomware group abuse virtual machines during an attack but now that cybercriminals know this new technique works, expect to see others try to implement it in the future.

Via ZDNet

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
Nintendo Switch 2
Nintendo Switch 2 expected to have AI upscaling and I can't wait to finally play Tears of the Kingdom with upgraded graphics
PowerColor Red Devil AMD RX 9070 XT graphics card shown side-on
Your next GPU could be from AMD, not Nvidia, if Team Red’s success with PC gamers continues
Intel Lunar Lake concept
Intel's Panther Lake processors won't arrive until Q1 2026 - corroborates previous delay rumors despite former Intel CEO's promise of 2025 launch