Ragnar Locker ransomware attack hides inside virtual machine

Threat actors produced a new form of ransomware attack that works by using digital equipment, Sophos disclosed Thursday in a blog put up.

Sophos scientists not long ago detected a Ragnar Locker ransomware attack that “requires defense evasion to a new stage.” According to the put up, the ransomware variant was deployed inside a Windows XP digital device in buy to hide the destructive code from antimalware detection. The digital device involves an aged version of the Solar xVM VirtualBox, which is a totally free, open resource hypervisor that was obtained by Oracle when it obtained Solar Microsystems in 2010.

“In the detected attack, the Ragnar Locker actors utilized a GPO process to execute Microsoft Installer (msiexec.exe), passing parameters to down load and silently put in a 122 MB crafted, unsigned MSI offer from a remote website server,” Mark Loman, Sophos’ director of engineering for risk mitigation, wrote in the put up.

The MSI offer contained Solar xVM VirtualBox version three..four, which was introduced August of 2009, and “an picture of a stripped-down version of the Windows XP SP3 functioning procedure, identified as MicroXP v0.eighty two.” In that picture is a 49 KB Ragnar Locker executable file.

“Given that the vrun.exe ransomware software runs inside the digital guest device, its approach and behaviors can operate unhindered, due to the fact they are out of attain for safety software program on the bodily host device,” Loman wrote.

This was the initial time Sophos has observed digital equipment utilized for ransomware attacks, Loman claimed.

It is really unclear how many corporations were being influenced by this modern attack and how popular it was. Sophos was unavailable for remark at press time. In the past, the Ragnar Locker ransomware team has focused managed support vendors and utilized their remote access to customers to infect a lot more corporations.

In other Sophos information, the company released an update Thursday about the attacks on Sophos XG Firewalls. Threat actors utilized a personalized Trojan Sophos calls “Asnarök” to exploit a zero-working day SQL vulnerability in the firewalls, which the seller promptly patched through a hotfix. Sophos scientists claimed the Asnarök attackers tried to bypass the hotfix and deploy ransomware in consumer environments. Even so, Sophos claimed it took other techniques to mitigate the risk over and above the hotfix, which prevented the modified attacks.