RagnarLocker Ransomware Deploys Oracle VirtualBox VM to Hide Itself

May 26, 2020

The RagnarLocker group is already known for carefully selecting targets, avoiding private users, and instead targeting corporate networks, managed service providers, and government organizations. Now, by adopting new innovative attack vectors, the RagnarLocker adversaries are taking their campaigns to a new level.

What happened

  • In past attacks, the operators have used various attack vectors, such as exploiting an insecure RDP configuration, using email spam with malicious attachments, botnets, deceptive downloads, exploits, malicious ads, web injects, fake updates, repackaged and infected installers. Now, for the first time, the gang has been observed abusing virtual machines during an attack.
  • In May 2020, the operators of the RagnarLocker ransomware were spotted running Oracle VirtualBox to avoid detection and hide their presence while attacking a victim inside a Windows XP virtual machine.
  • The ransomware downloads and installs Oracle VirtualBox then configures it to give full access to all local and shared drives, allowing the virtual machine to interact with files stored outside its own storage.
  • The VirtualBox app will replace files on the local system and shared drives with their encrypted versions. These file modifications can’t be detected as the ransomware's malicious process by an antivirus software.

Earlier attacks by RagnarLocker

  • In April 2020, the actors behind RagnarLocker attacked the network of the Portuguese multinational energy giant Energias de Portugal (EDP) and claimed to have stolen 10 TB of sensitive company data, demanding payment of 1,580 BTC and threatening to release the data if the ransom was not paid.
  • In February 2020, RagnarLocker specifically targeted remote management software (RMM) commonly used by managed service providers (MSPs), such as the popular ConnectWise and Kaseya software to prevent their attack from being detected and stopped.

Known TTPs of RagnarLocker

RagnarLocker was first spotted in December 2019. Since then, there has been a common pattern visible in the attacks.

  • The attackers first compromise a network, before executing the ransomware they will perform reconnaissance and pre-deployment tasks. The ransomware executable adds specific extensions to encrypted files, features an embedded RSA-2048 key, and drops custom ransom notes.
  • RagnarLocker attacks Windows Remote Desktop Protocol (RDP) connections to gain a foothold on targeted networks or uses exploits against managed service providers.
  • After gaining unauthorized access to the targeted network and exfiltration of data, they use native Windows administrative tools such as Windows Group Policy Objects (GPOs) and Powershell to move laterally across the network to other Windows clients and servers.
  • Then, they execute Microsoft Installer to download and silently install crafted, unsigned MSI packages from a remote web server.

Stay safe

Scan the computer using legitimate anti-spyware or antivirus software to eliminate possible infections. Users should maintain regular up-to-date backups.

Read the original article and additional information at Cyware Social