Virtual machines are an important tool for threat analysts as they debug and investigate malware. But now there is a documented case of malicious cyber actors exploiting a VM to their advantage in an attempt to hide a Ragnar Locker ransomware attack.

Researchers at Sophos, who uncovered the technique, claim that such trickery is a first for a ransomware attack, and likely any kind of malware campaign. The tactic "lends itself very well to ransomware because it wants to encrypt files, and attackers would want that to be done by a trusted application," said Mark Loman, director of engineering, threat mitigation, at Sophos, in an interview with SC Media.

In a blog post on the topic, Loman explains that a ransomware attack leveraging a VM environment "takes defense evasion to a new level." That's because while the malicious code is able to attack the disks and drives of an infected host, the security software installed on said host cannot reach the malware. "Defenders only have a view of the physical machine, not of the virtual machine," Loman further explained in his interview.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.