Security researchers have discovered another ransomware group using virtual machines (VMs) to slip past defensive tools on target devices. While effective in hiding ransomware activity, this tactic is more complex than a traditional ransomware attack and may hamper the attackers' efforts.

The trend emerged last year, when Sophos researchers found Ragnar Locker ransomware was being deployed as a full VM on each targeted device to hide the ransomware from view. A few months later, the Maze ransomware group was spotted using the same technique, albeit with some differences. Ragnar Locker was deployed inside an Oracle VirtualBox Windows XP VM, for example, while the Maze-delivered VM was running Windows 7.

Now Symantec researchers have found another group using VMs to run ransomware payloads on compromised machines. In this case, the attackers had installed a VirtualBox VM on some infected computers, and the VM they used appeared to be running Windows 7, they report.

While the payload running in the VM was not identified, there are "reasonably strong indicators" that it's Conti: A username and password combination used in the attack had been previously linked to older Conti activity in April. However, on the same computer that the VM was deployed, Symantec also saw Mount Locker ransomware being deployed.

This was strange, they say, as the purpose of running a payload in a VM is to evade detection. It didn't make sense to also deploy it on the host machine. Researchers hypothesize the attacker could be an affiliate with access to both Conti and Mount Locker. They may have tried to run a payload on a VM, and when that didn't work, they chose to run Mount Locker on the host.

The primary goal with this tactic is to evade detection by hiding the attack in a VM so the encryption process flies under the radar. Attackers map file shares on the network from inside the VM and encrypt them, rather than running the ransomware natively on the machine.

While more subtle, this technique is more difficult for the attackers to pull off, notes Dick O'Brien, principal editor for the Symantec Threat Hunter team.

"It's adding another degree of complexity," he says of the use of VMs. "You have to set up the virtual machine so that it has permissions to encrypt files, or access files, on the host computer." 

In this case, the Symantec team suspects the attackers didn't get it exactly right.

Stealth, But Complicated
When Sophos first detected Ragnar Locker using VMs, the researchers expected it to be a growing trend. A virtual machine is legitimate software, so it shouldn't raise any red flags on traditional antivirus tools and let attackers operate unnoticed. But months went by before they spotted Maze using the technique in September 2020.

"The challenges are immense on the criminal side," says Chet Wisniewski, principal research scientist at Sophos, of why he thinks the use of VMs in ransomware attacks is still uncommon. It's a complicated – and slow – way to launch a ransomware attack.

A virtual machine is "a big file – it's something that can be noticed and detected," and it would likely be blocked by existing security mechanisms, he notes. It's not something a business would expect to have downloaded through its firewalls or for IT to permit in its environment.

Further, he adds, most servers attackers are targeting already are virtualized. This means they're running a VM inside a VM, which isn't the most reliable strategy when locking up someone's files. Big-game groups after multimillion-dollar ransoms have a pattern, he says. They break in, stay silent, find the sensitive data they plan to encrypt, and trigger an attack within seven to 10 days. Usually this starts in the evening or on a Friday, so they have more time to encrypt the files.

"If you start doing this from a virtual machine, you're amplifying the amount of time it's going to take – another negative for criminals for this tactic," Wisniewski adds. Because VMs are slower and it's a mapped network drive, it's "significantly slower" than doing the encryption operation natively on the computer itself.

He notes that attackers who use this technique will only do so if it makes sense for a specific victim. Legacy environments are especially vulnerable here. If a group with admin credentials breaks in and notices a business is running legacy antivirus managed locally, they can turn it off. If it's cloud-based and there's no multifactor authentication, they can turn it off there, too.

"Once they break into each victim, they're reacting to what's around them," he says. 

Legacy environments are less likely to have security tools that react to a technique like this one. A reason this tactic is still rare is it will only work in scenarios where it can work around the security tools in place.

How Businesses Can Respond
Organizations aware of this technique are advised to take steps to defend against attackers.

"I think awareness is really key in terms of knowing how they get into your organization and how they get across your network, in terms of obtaining credentials and moving laterally," says O'Brien, who urges businesses to regularly change their credentials and limit users to activity they're meant to be doing. If someone has no reason to create a VM, block them from doing it.

"Be a bit more rigid in terms of the policies you apply," he adds.

In general, it's not a bad idea to block these applications from being used where they shouldn't be used, Wisniewski says. He refers to VirtualBox, which is commonly used in these attacks, as something that should both be blocked from running in your environment or detected when it's installed or downloaded somewhere unusual. 

"That should never happen on a server," he says. It may run on a workstation, but virtualization software wouldn't normally run on a server.

The same ransomware defense advice still applies here, he notes. Where it pivots is in detecting the virtualization process and ensuring servers have security software installed rather than expecting endpoint protection tools will protect them from these kinds of attacks.