Virtual machines are an important tool for threat analysts as they debug and investigate malware. But now there is a documented case of malicious cyber actors exploiting a VM to their advantage in an attempt to hide a Ragnar Locker ransomware attack.
Researchers at Sophos, who uncovered the technique, claim that such trickery is a first for a ransomware attack, and likely any kind of malware campaign. The tactic “lends itself very well to ransomware because it wants to encrypt files, and attackers would want that to be done by a trusted application,” said Mark Loman, director of engineering, threat mitigation, at Sophos, in an interview with SC Media.
In a blog post on the topic, Loman explains that a ransomware attack leveraging a VM environment “takes defense evasion to a new level.” That’s because while the malicious code is able to attack the disks and drives of an infected host, the security software installed on said host cannot reach the malware. “Defenders only have a view of the physical machine, not of the virtual machine,” Loman further explained in his interview.
Sophos identified the VM technology as an Oracle VirtualBox hypervisor from 2009 — but at the time it was known as the Sun xVM VirtualBox, (version 3.0.4). Oracle would later acquire Sun Microsystems.
According to the blog post, the attack technique uses a Windows Group Policy Objects task to execute Microsoft Installer and then install an unsigned MSI package from a remote web server. The package deploys the VM, a virtual disk image file (VDI) containing the ransomware executable, and several additional files that support the infection chain.
As part of the infection process, Ragnar Locker deletes shadow copies to impede the restoration of files, and it enumerates “all local disks, connected removable drives and mapped network drives on the physical machine, so they can be configured to be accessed from within the virtual machine” via shared folders, the blog post continues.
“…[T]o be effective, a ransomware on the virtual plane [needs] to affect data in the physical world. To make this happen, the attack channeled conduits from the virtual plane into the physical domain via shared folders – which is a normal feature of a hypervisor running a virtual machine,” Loman explained in his interview. “Although endpoint protection can only control the physical machine and has no influence on the virtual one, the ‘ghost’ machine is out of reach for malware detection – so the ransomware binary has total freedom in the virtual machine.”
Next, the ransomware sorts through a list of process and service names, and terminates any that are open so they can be encrypted as the ransomware executes. These lists “are tailored to the victim organization’s network environment, including process and service names belonging to endpoint protection software,” Sophos explains.
That’s not where the customization ends: Sophos observed that the ransomware is compiled individually for each target, as demonstrated by the unique ransom notes that specifically reference the victim organization’s name, the report explains.
With the ransomware operating inside the virtualized environment, “its process and behaviors can run unhindered, because they’re out of reach for security software on the physical host machine,” the blog post states.
Fortunately, Loman told SC Media, such attacks can be detected before the damage is done. He explained that “endpoint protection with a zero-trust model against ransomware can still monitor the well-known hypervisor process that runs the virtual machine. By keeping a close eye on every file that the hypervisor touches in the physical world, it can detect if a document or image becomes malformed by encryption.”