The ransomware that attacks you from inside a virtual machine - SophosLabs
By MYBRANDBOOK
Yesterday, SophosLabs published details of a sophisticated new ransomware attack that takes the popular tactic of “living off the land” to a new level. To ensure their 49 kB Ragnar Locker ransomware ran undisturbed, the crooks behind the attack bought along a 280 MB Windows XP virtual machine to run it in (and a copy of Oracle VirtualBox to run that). It’s almost funny, but it’s no joke.
The attack was carried out by the gang behind Ragnar Locker, who break into company networks, make themselves admins, conduct reconnaissance, delete backups and deploy ransomware manually, before demanding multi-million dollar ransoms. Like a lot criminals who conduct similar “targeted” or “big game” ransomware attacks, the Ragnar Locker gang try to avoid detection as they operate inside a victim’s network with a tactic dubbed “living off the land”.
Living off the land entails using legitimate software administration tools that either already exist on the network the crooks have broken into, or that don’t look suspicious or out of place (PowerShell is a particular favourite). SophosLabs reports that in the attack, the gang used a Windows GPO (Group Policy Object) task to execute the Microsoft Installer, which downloaded an MSI containing a number of files, including a copy of VirtualBox and a Windows XP virtual machine with the Ragnar Locker executable inside.
VirtualBox is hypervisor software that can run and administer one or more virtual guest computers inside a host computer. Typically, guests are sealed off from the host, and processes running inside the guest are unable to interact with the host’s operating system. This is to prevent hostile processes, like malware, from attacking the host or taking it over, in what’s known as a virtual machine escape. However, the protections that separate the guests from their host assume a hostile guest inside a friendly host, and that wasn’t the case here, because the attackers had access to both guest and host. In fact, from the attackers’ perspective they were trying to create the reverse of the normal situation – a friendly (to them) guest environment protected from a hostile host. To the attackers, the victim’s network is a hostile environment. Living off the land is designed to allow them to work as stealthily as possible, without triggering any alarms in the network’s security software. When they start running malware they’ve broken cover and are at much greater risk of detection.
Running their malware inside a virtual machine allowed them to hide it from the prying eyes of security software on the host. And because the attackers controlled the host they were easily able to weaken the wall between the host and the guest. They did this by installing VirtualBox add-ons that allow files on the host to be shared with the guest, and then making every local disk, removable storage and mapped network drive on the host accessible to the guest virtual machine. With those drives mounted inside the guest, the ransomware could encrypt the files on them from inside the protective cocoon of the virtual machine.
Meanwhile, as far as the security software on the host was concerned, data on the local network was being encrypted by legitimate software: VirtualBox’s VboxHeadless.exe process. So, from the perspective of the host, the attackers never broke cover and continued to “live off the land”, using legitimate software, until they dropped the ransom note.
Mark Loman, director of engineering, Threat Mitigation at Sophos who further explains the attack says,“In the last few months, we’ve seen ransomware evolve in several ways. But, the Ragnar Locker adversaries are taking ransomware to a new level and thinking outside of the box. They are deploying a well-known trusted hypervisor to hundreds of endpoints simultaneously, together with a pre-installed and pre-configured virtual disk image guaranteed to run their ransomware. Like a ghost able to interact with the material world, their virtual machine is tailored per endpoint, so it can encrypt the local disks and mapped network drives on the physical machine, from within the virtual plane and out of the detection realm of most endpoint protection products. The overhead involved to covertly run their 50 kilobyte ransomware seems like a bold, noisy move, but could pay-off in some networks that are not properly protected against ransomware,” said Mark Loman, director of engineering, Threat Mitigation at Sophos. “This is the first time we have seen virtual machines used for ransomware.”
Nazara and ONDC set to transform in-game monetization with ‘
Nazara Technologies has teamed up with the Open Network for Digital Comme...
Jio Platforms and NICSI to offer cloud services to government
In a collaborative initiative, the National Informatics Centre Services In...
BSNL awards ₹5,000 Cr Project to RVNL-Led Consortium
A syndicate led by Rail Vikas Nigam Limited (abbreviated as RVNL), along wi...
Pinterest tracks users without consent, alleges complaint
A recent complaint alleges that Pinterest, the popular image-sharing platf...
STERLITE TECHNOLOGIES LTD.
HP INDIA SALES PVT. LTD.
TVS ELECTRONICS LTD.
WIPRO LTD.
Icons Of India : Arundhati Bhattacharya
Arundhati Bhattacharya serves as the Chairperson and CEO of Salesforce...
ICONS OF INDIA : ROSHNI NADAR MALHOTRA
Roshni Nadar Malhotra is the Chairperson of HCLTech, a leading global ...
Icons Of India : Harsh Jain
Harsh Jain, the co-founder of Dream 11, the largest fantasy sports web...
TCIL - Telecommunications Consultants India Limited
TCIL is a government-owned engineering and consultancy company...
C-DAC - Centre for Development of Advanced Computing
C-DAC is uniquely positioned in the field of advanced computing...
LIC - Life Insurance Corporation of India
LIC is the largest state-owned life insurance company in India...
Indian Tech Talent Excelling The Tech World - ARVIND KRISHNA, CEO – IBM
Arvind Krishna, an Indian-American business executive, serves as the C...
Indian Tech Talent Excelling The Tech World - Aneel Bhusri, CEO, Workday
Aneel Bhusri, Co-Founder and Executive Chair at Workday, has been a le...
Indian Tech Talent Excelling The Tech World - NIKESH ARORA, Chairman CEO - Palo Alto Networks
Nikesh Arora, the Chairman and CEO of Palo Alto Networks, is steering ...