Ransomware Deploys Virtual Machines to Hide Itself from Antivirus Software
upstart writes in with an IRC submission for chromas:
Ransomware deploys virtual machines to hide itself from antivirus software:
The operators of the RagnarLocker ransomware are installing the VirtualBox app and running virtual machines on computers they infect in order to run their ransomware in a "safe" environment, outside the reach of local antivirus software.
This latest trick has been spotted and detailed today by UK cyber-security firm Sophos and shows the creativity and great lengths some ransomware gangs will go to avoid detection while attacking a victim.
[...] The "trick" is actually pretty simple and clever when you think of it.
Instead of running the ransomware directly on the computer they want to encrypt, the RagnarLocker gang downloads and installs Oracle VirtualBox, a type of software that lets you run virtual machines.
[...] The next step is to boot up the virtual machine, running a stripped-down version of the Windows XP SP3 operating system, called MicroXP v0.82.
The final phase is to load the ransomware inside the virtual machine (VM) and run it. Because the ransomware runs inside the VM, the antivirus software won't be able to detect the ransomware's malicious process.
From the antivirus software's point of view, files on the local system and shared drives will suddenly be replaced with their encrypted versions, and all the file modifications appear to come from a legitimate process -- namely the VirtualBox app.
Mark Loman, director of engineering and threat mitigation at Sophos told ZDNet today that this is the first time he's seen a ransomware gang abuse virtual machines during an attack.
Read more of this story at SoylentNews.