30th July 2021, Kathmandu
Some ransomware attackers have used virtual machines to evade security detection, yet acquisition is slow-going for the complicated technique.
Another ransomware group using Virtual machines (VMs) to evade defensive tools on track devices is discovered. This movement is much more complex than a traditional ransomware attack and may damage the attackers’ efforts, too, while it’s effective in hiding the ransomware activity.
The ransomware attack through VMs has been a trend since last year when Sophos analysts uncovered Ragnar Locker ransomware, which was being used as a full VM on each host device to conceal the ransomware from sight. Following that, the Maze ransomware group was located using the same technique, although with some differences. Ragnar Locker was applied inside an Oracle VirtualBox Windows XP VM, while the Maze-delivered VM administrated Windows 7.
And now, Symantec analysts have found evidence that a group of ransomware attackers is using virtual machines (VMs) to load their ransomware payloads on compromised computers. The motivation behind the play is stealth. Despite circumventing raising hunches or setting off antivirus software, the ransomware payload will camouflage within a VM while encrypting files on the host computer.
While the payload running within the VM wasn’t identified, there are “reasonably strong indicators” that it’s Conti: A username and password combination utilized in the attack had been previously linked to older Conti activity in April. The interesting fact is: Symantec also observed Mount Locker ransomware being installed on the same computer where the VM was deployed.
While VM was transported to the target, the target was hit via a malicious installer file that utilized different file names, including:
- fuckyou.msi
- fuck.msi
- aa51978f.msi
- s3c.msi
The installer created a file called runner.exe, which was a Golang (Go) executable compiled from the subsequent source file:
- C:/builder/runner/main.go
This was strange; they say because the aim of running a payload during a VM is to evade detection. It didn’t add up to also deploy it on the host machine. According to the researchers’ view, the attacker might associate with access to both Conti and Mount Locker. They could have attempted to run a payload on a VM, and if that didn’t work, they run Mount Locker on the target.
The main goal of this plan is to bypass detection by hiding the attack during a VM; therefore, the encryption process is under the radar. File shares on the network were mapped from inside the VM and encrypt, rather than running the ransomware innately on the machine.
While more subtle, this system is harder for the attackers to tug off, notes Dick O’Brien, principal editor for the Symantec Threat Hunter team.
“It’s adding another degree of complexity,” he says of the utilization of VMs. “You need to found out the virtual machine in order that it’s permissions to encrypt files, or access files, on the host computer.”
In this case, the Symantec team suspects the attackers didn’t catch on exactly right.
Stealth, But Complicated
While detecting Ragnar Locker using VMs at first, Sophos researchers anticipated it to be a growing trend. The virtual machine is legitimate software; it shouldn’t raise any red flags on native antivirus tools and let attackers work unnoticed. But months were gone before they spotted Maze using the technique in September 2020.
Chet Wisniewski, a principal research scientist at Sophos, says that the challenges are extreme on the attacker side, of why he thinks the utilization of VMs in ransomware attacks remains uncommon. It’s complicated – and slow – thanks to launching a ransomware attack.
He noted that a virtual machine is likely a “big file,” something that can be observed and spotted as well. Existing security mechanisms likely stop it. It’s not something a business would expect to possess downloaded through its firewalls or IT to allow in its environment.
Along, he adds, most servers’ attackers are targeting already are virtualized. This means they’re running nested VM, which isn’t the foremost reliable strategy when locking up someone’s files. Big Ransomware groups after multimillion-dollar ransoms have a pattern, he says. They intervene but remain passive, find the critical data they plan to encrypt and throw an attack within seven to 10 days. Expectedly this starts within the evening or on a Friday to have longer to encrypt the files.
“If you begin implementing this from a virtual machine, you’re magnifying the amount of a while it’s getting to take – another negative for criminals for this tactic,” Wisniewski adds. VM is a mapped network drive; it’s “significantly slower” than the encryption process natively on the pc itself.
He notes that attackers who use this system will only do so if it is sensible for a selected victim. Legacy environments are especially vulnerable here. If a gaggle with admin credentials breaks in and notices a business is running legacy antivirus managed locally, they’re going to turn it off. If it’s cloud-based and there is no multifactor authentication, they will turn it off there, too.
“They react to what’s surrounds them, if once they forced an arrival each victim,” he says.
Legacy environments are less likely to possess security tools that react to away like this one. This tactic remains rare because it’ll only add scenarios to work around the security tools in situ.
