Virtual machines hide ransomware until the encryption process is done

The use of virtual machines (VMs) to run the malicious payload is getting more popular with ransomware attackers, Symantec’s Threat Hunter Team claims.

virtual machines ransomware

Ransomware deployed in virtual machines

“During a recent investigation into an attempted ransomware attack, Symantec discovered that the attackers had installed a VirtualBox VM on some compromised computers. Unlike the previously documented RagnarLocker attacks, which involved Windows XP, the VM in this case appeared to be running Windows 7,” they shared.

Dick O’Brien, Principal Editor, Symantec Threat Hunter Team, told Help Net Security that the VM was delivered via a malicious installer pre-staged during the reconnaissance and lateral movement phases of the attacks, but that they don’t know how the initial intrusion was performed.

But before trying to install a VirtualBox VM in a headless mode, the executable delivered by the installer would check if the host was an Active Directory controller or used a Russian keyboard layout (and exited if it was / did).

Though the researchers could not pinpoint whether the actual payload in the VM is the Mount Locker or the Conti ransomware – the former was found on the endpoint, but a username and password combination used in these attacks was previously associated with previous Conti activity – they believe it was located on the VM’s disk and auto started once the operating system was fully booted.

“One possible explanation is that the attacker is an affiliate operator with access to both Conti and Mount Locker. They may have attempted to run a payload (either Conti or Mount Locker) on a virtual machine and, when that didn’t work, opted to run Mount Locker on the host computer instead,” they explained.

Obstructing unauthorized VMs

Most attackers and ransomware operators love to exploit legitimate, dual-use tools to facilitate their operations while keeping them hidden as long as possible.

Organizations can prevent unauthorized VMs from being used on endpoints by using software inventory and restriction tools to control what licensed software may be installed, or security products that will block the creation of malicious VMs.

“In addition, organizations already using VM software can use enterprise versions of the software that restrict creation of new unauthorized VMs,” O’Brien added.

Don't miss