Ransomware Alert: Ragnar Locker attack deploys virtual machine to avoid security

UK-based cybersecurity firm Sophos reveals Ragnar Locker ransomware attack that deploys a virtual machine to bypass security.

Cybersecurity firm Sophos revealed details on the Ragnar Locker attack that targets companies demanding huge sums in ransom. The attack uses a virtual machine to infect the target computers. This allows the attack to bypass the security of local antivirus Softwares.

Ragnar Locker ransomware

The ransomware tends to target enterprises instead of individuals and demand large amounts of money to decrypt their files. Sophos’ report gave an example of Energias de Portugal, which stole ten terabytes of data and demanded 1,850 BTC (14.5 million USD at current trading price). They were threatened that if the ransom was not paid,, then the attackers would release the data to the public.

The attacker hides a small ransomware executable file within a virtual image and disguises it as an installer. As per Sophos’ report, “the attack payload was a 122 MB installer with a 282 MB virtual image” all to hide a 49 kB ransomware executable file.

The attackers target the Windows Remote Desktop Protocol (RDP) connections to establish a foothold on the targetted networks. Once the attacker has gained administrator-level access, they move across the network to clients and servers using native Windows tools such as Powershell and Windows Group Policy Objects (GPOs).

Ransomware attacks that demand cryptocurrency to decrypt files have been increasing in recent years. Just recently, Cryptopolitan reported that popstar Madonna was targeted in a crypto ransom scheme by REvil. The attackers would auction sensitive information about Madonna on May 25 with a starting bid of one million US dollars.

About the author