RagnarLocker Group hide their presence by running Virtual Machines

A new technique where ransomware is run from within a virtual machine rather than on a computer is used by the operators of the RagnarLocker ransomware.

They are installing VirtualBox- a type of software that lets you run virtual machines to avoid detection and hide from antivirus software.

The RagnarLocker is careful group targeting corporate networks, managed service providers, and government organizations. Sophos states, the group has targeted victims in the past by abusing internet-exposed RDP endpoints and has compromised MSP (managed service provider) tools to breach companies and gain access to their internal networks.

According to Sophos, the group behind RagnarLocker has been known to steal data from targeted networks before launching a ransomware attack in order to encourage victims to pay. 

The group first downloads and installs Oracle VirtualBox and configures it to give full access to all local and shared drives.

Second, it boots up the virtual machine running a stripped-down version of the Windows XP SP3 operating system called MicroXP v0.82.

Finally, VirtualBox app replaces files on the local system and shared drives with their encrypted versions, modifications appear to be originated from the legitimate VirtualBox app. Since, the ransomware runs inside the virtual machine, attacks are not detected by a victim’s antivirus.

In April 2020, RagnarLocker attacked Portuguese multinational energy giant Energias de Portugal (EDP) and claimed to have stolen 10 TB of sensitive company data, demanding a ransom and threatening to release the data if the ransom was not paid.

To stay safe and to keep devices protected Adcy.io recommends to use legitimate anti-spyware or antivirus software and to keep the backups up to date.