Can you explain in simple terms how the Ragnar Locker gang used the virtual machine to deploy the ransomware executable?
This is the first time we have seen virtual machines used for ransomware. The Ragnar Locker gang embedded the ransomware executable on the virtual disk image (VDI) of the virtual machine (VM). The ransomware executable is not sent into the network and is not run on the physical endpoint, but runs solely in the virtual machine.
On the physical machine, the actions by the ransomware in the virtual machine are tunnelled and performed by a well-known and normally trusted process. A tell-tale sign is high CPU usage by a single process and the mass writing into existing documents and other files. The best tool to defend against this type of attack is with a security tool (anti-ransomware) that is specifically designed to detect the unusual mass file writes via behavioural monitoring with a zero-trust attitude.
As well as being a new technique, what is so threatening about this method of attack?
The attack hides the ransomware executable in a relatively large file, of a file type that security tools typically don’t process: a virtual disk image (VDI). In addition, the ransomware executable runs in a virtual machine and because of the underlying hypervisor technology, is not visible by security tools on the physical machine.
While this attempt was unsuccessful, do you think that with the increasing use of VMs this tactic will become more savvy and therefore successful?
Although this is a bold attack, it is also noisy due to its foot-print and high CPU usage. In networks that haven’t invested in ransomware protection, this attack can be successful, but I don’t think we will see this approach become common.
What type of organisations do you think are most at risk from this technique?
Since more ransomware attacks are human-operated, every organisation is a target. They all should be prepared and have a recovery plan (printed on paper). One successful spam or phishing email, an exposed RDP port, a vulnerable exploitable gateway device or stolen remote access credentials are enough for these active adversaries to gain a foothold. However, with more criminal gangs asking for millions of dollars in ransom demands, it is clear that larger organisations with more money and a bigger attack surface are at greater risk.
What else should we know?
In the last few months, we’ve seen ransomware evolve in several ways. But the Ragnar Locker adversaries are taking ransomware to a new level and thinking outside of the box.
They are deploying a well-known and trusted hypervisor to hundreds of endpoints simultaneously, together with a pre-installed and pre-configured virtual disk image (VDI) guaranteed to run their ransomware.
“Like a ghost able to interact with the material world, their virtual machine is tailored per endpoint, so it can encrypt the local disks and mapped network drives on the physical machine from within the virtual plane and out of the detection realm of most endpoint protection products. The overhead involved to covertly run their 50 kilobyte ransomware seems like a bold, noisy move, but could pay-off in some networks that are not properly protected against ransomware.
Mark Loman is director of engineering, Threat Mitigation at Sophos.